kernel/locking/rtmutex.c, 1249:
_raw_spin_lock_irqsave in rt_mutex_slowlock
To fix the bug, the spinlock is released before schedule() and then acquired
again.
This is found by my static analysis tool (DSAC).
Signed-off-by: Jia-Ju Bai
---
kernel/locking/rtmutex.c | 6 --
1 file changed
On 2018/8/11 10:44, Steven Rostedt wrote:
On Sat, Aug 11, 2018 at 10:35:24AM +0800, Jia-Ju Bai wrote:
The driver may sleep with holding a spinlock.
The function call paths (from bottom to top) in Linux-4.16 are:
[FUNC] schedule
kernel/locking/rtmutex.c, 1223:
schedule
/locking/rtmutex.c, 1249:
_raw_spin_lock_irqsave in rt_mutex_slowlock
To fix the bug, the spinlock is released before the loop of schedule()
This is found by my static analysis tool (DSAC).
Signed-off-by: Jia-Ju Bai
---
v2:
* Release the spinlock before the loop, instead of v1
in
rcu_torture_timer
kernel/rcu/rcutorture.c, 1104: spin_lock in rcu_torture_timer
Note that [FUNC_PTR] means a function pointer call is used.
I do not find a good way to fix, so I only report.
This is found by my static analysis tool (DSAC).
Thanks,
Jia-Ju Bai
,
Jia-Ju Bai
.
This is found by my static analysis tool (DSAC).
Signed-off-by: Jia-Ju Bai
---
fs/jffs2/malloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jffs2/malloc.c b/fs/jffs2/malloc.c
index ce1189793288..66496ef09716 100644
--- a/fs/jffs2/malloc.c
+++ b/fs/jffs2
(), and
then be acquired again.
This is found by my static analysis tool (DSAC).
Thanks,
Jia-Ju Bai
/callback_proc.c, 544: referring_call_exists in nfs4_callback_sequence
fs/nfs/callback_proc.c, 504: spin_lock in nfs4_callback_sequence
I do not find a good way to fix, so I only report.
This is found by my static analysis tool (DSAC).
Thanks,
Jia-Ju Bai
/pnfs_nfs.c, 154: spin_lock in pnfs_generic_recover_commit_reqs
I do not find a good way to fix, so I only report.
This is found by my static analysis tool (DSAC).
Thanks,
Jia-Ju Bai
On 2018/8/13 12:18, Paul E. McKenney wrote:
On Mon, Aug 13, 2018 at 11:04:10AM +0800, Jia-Ju Bai wrote:
The kernel may sleep with holding a spinlock.
The function call paths (from bottom to top) in Linux-4.16 are:
[FUNC] schedule_timeout_interruptible
kernel/rcu/rcutorture.c, 523
On 2018/8/13 16:56, Jan Kara wrote:
Hi,
On Mon 13-08-18 11:10:23, Jia-Ju Bai wrote:
The kernel may sleep with holding a spinlock.
The function call paths (from bottom to top) in Linux-4.16 are:
[FUNC] schedule
fs/dax.c, 259: schedule in get_unlocked_mapping_entry
fs/dax.c, 450
On 2018/8/13 20:42, Paul E. McKenney wrote:
On Mon, Aug 13, 2018 at 05:26:49PM +0800, Jia-Ju Bai wrote:
On 2018/8/13 12:18, Paul E. McKenney wrote:
On Mon, Aug 13, 2018 at 11:04:10AM +0800, Jia-Ju Bai wrote:
The kernel may sleep with holding a spinlock.
The function call paths (from
k_mutex;
map->unlock = regmap_unlock_mutex;
lockdep_set_class_and_name(>mutex,
lock_key, lock_name);
}
But after reading the code, I cannot find the relationship between the
if condition and atomic context.
I am looking forward to your reply, than
On 2018/8/28 16:49, Johan Hovold wrote:
On Mon, Aug 27, 2018 at 10:55:17PM +0200, Alexandre Belloni wrote:
Hi,
On 30/07/2018 21:53:14+0800, Jia-Ju Bai wrote:
omap_rtc_power_off() is never called in atomic context.
It calls mdelay() to busily wait, which is not necessary.
mdelay() can
operation in CPU0 is performed
with holding a spinlock, but the READ operation in CPU1 is performed
without holding this spinlock, so there may exist a data race.
Best wishes,
Jia-Ju Bai
Thanks for the reply :)
On 2018/10/3 23:54, Takashi Iwai wrote:
On Wed, 03 Oct 2018 14:50:25 +0200,
Jia-Ju Bai wrote:
CPU0:
snd_trident_hw_free
snd_trident_free_voice
line 3870: spin_lock_irqsave()
line 3881: voice->substream = NULL; [WRITE]
C
On 2018/9/30 3:20, Jiri Kosina wrote:
On Sat, 29 Sep 2018, Jia-Ju Bai wrote:
picolcd_send_and_wait (acquire a spinlock)
hid_hw_request
__hid_request
hid_alloc_report_buf(GFP_KERNEL)
picolcd_reset (acquire a spinlock)
hid_hw_request
__hid_request
On 2018/10/4 13:24, Takashi Iwai wrote:
On Thu, 04 Oct 2018 05:08:45 +0200,
Jia-Ju Bai wrote:
Thanks for the reply :)
On 2018/10/3 23:54, Takashi Iwai wrote:
On Wed, 03 Oct 2018 14:50:25 +0200,
Jia-Ju Bai wrote:
CPU0:
snd_trident_hw_free
snd_trident_free_voice
line
e give me explanation?
Thanks in advance :)
Best wishes,
Jia-Ju Bai
/usb_ops_linux.c, 604:
rtw_chk_hi_queue_cmd in usb_write_port_complete
To fix these bugs, GFP_KERNEL is replaced with GFP_ATOMIC.
These bugs are found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/rtl8188eu/core/rtw_cmd.c | 4 ++--
1 file changed, 2
To fix this bug, msleep() is replaced with mdelay().
This bug is found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
drivers/infiniband/hw/hns/hns_roce_hem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c
b/drivers
:
spin_lock_irq in srp_send_tsk_mgmt
To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC.
This bug is found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
drivers/infiniband/core/mad.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers
:
_raw_spin_lock_irqsave in lg4ff_play
To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC.
This bug is found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
drivers/hid/hid-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
, 5241:
_raw_spin_lock_irqsave in intel_iommu_enable_pasid
To fix this bug, usleep_range() is replaced with udelay().
This bug is found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
drivers/pci/controller/dwc/pcie-designware.c | 2 +-
1 file changed, 1 insertion(+), 1
On 2018/9/24 17:26, Jiri Kosina wrote:
On Thu, 13 Sep 2018, Jia-Ju Bai wrote:
hid_alloc_report_buf() has to be called with GFP_ATOMIC in
__hid_request(), because there are the following callchains
leading to __hid_request() being an atomic context:
picolcd_send_and_wait (acquire a spinlock
er also calls
"iounmap(hw->ce4100_gbe_mido_base_virt)" but
hw->ce4100_gbe_mido_base_virt has not been assigned.
These bugs are found by a runtime fuzzing tool named FIZZER written by us.
To fix these bugs, the error handling code of e1000_probe() is adjusted.
Signed-off-by: Jia-Ju Bai
---
drivers
On 2019/1/7 16:52, Greg KH wrote:
On Mon, Jan 07, 2019 at 04:47:43PM +0800, Jia-Ju Bai wrote:
The driver functions mxs_auart_settermios(), dma_rx_callback() and
dma_tx_callback() can be concurrently executed.
In Linux 4.19:
mxs_auart_settermios
mxs_auart_dma_exit
On 2019/1/7 16:57, Greg KH wrote:
On Mon, Jan 07, 2019 at 04:12:22PM +0800, Jia-Ju Bai wrote:
In drivers/char/pcmcia/synclink_cs.c, the functions mgslpc_open() and
hdlcdev_open() can be concurrently executed.
hdlcdev_open
startup
claim_resources
rx_alloc_buffers
lock_irqsave() in
nv_start_xmit() and nv_start_xmit_optimized() are moved to the
front of "prev_tx_ctx->skb = skb;"
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/nvidia/forcedeth.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/nvidia/forcedeth.
On 2019/1/8 20:54, Zhu Yanjun wrote:
在 2019/1/8 20:45, Jia-Ju Bai 写道:
In drivers/net/ethernet/nvidia/forcedeth.c, the functions
nv_start_xmit() and nv_start_xmit_optimized() can be concurrently
executed with nv_poll_controller().
nv_start_xmit
line 2321: prev_tx_ctx->skb =
c tool written by myself and
my manual code review.
To fix these possible bugs, the mutex lock "modem_info_mutex" used in
isdn_tty_tiocmset() is added in isdn_tty_set_termios().
Signed-off-by: Jia-Ju Bai
---
drivers/isdn/i4l/isdn_tty.c | 6 +-
1 file changed, 5 insertions(+), 1 dele
On 2019/1/4 8:47, Benjamin Herrenschmidt wrote:
On Wed, 2018-12-26 at 21:56 +0800, Jia-Ju Bai wrote:
In drivers/fsi/fsi-sbefifo.c, the functions sbefifo_user_release(),
sbefifo_user_read() and sbefifo_user_write() may be concurrently executed.
So after refreshing my mind, looking
On 2019/1/9 9:24, Yanjun Zhu wrote:
On 2019/1/8 20:57, Jia-Ju Bai wrote:
On 2019/1/8 20:54, Zhu Yanjun wrote:
在 2019/1/8 20:45, Jia-Ju Bai 写道:
In drivers/net/ethernet/nvidia/forcedeth.c, the functions
nv_start_xmit() and nv_start_xmit_optimized() can be concurrently
executed
On 2019/1/9 10:35, Yanjun Zhu wrote:
On 2019/1/9 10:03, Jia-Ju Bai wrote:
On 2019/1/9 9:24, Yanjun Zhu wrote:
On 2019/1/8 20:57, Jia-Ju Bai wrote:
On 2019/1/8 20:54, Zhu Yanjun wrote:
在 2019/1/8 20:45, Jia-Ju Bai 写道:
In drivers/net/ethernet/nvidia/forcedeth.c, the functions
On 2019/1/9 11:24, Yanjun Zhu wrote:
If you have forcedeth NIC, you can make tests with it.:-)
Ah, I would like to, but I do not have the hardware...
Best wishes,
Jia-Ju Bai
way may be to replace up() and down()
with spin_lock() and spin_unlock().
Best wishes,
Jia-Ju Bai
way may be to replace up() and down()
with spin_lock() and spin_unlock().
Best wishes,
Jia-Ju Bai
spin_lock() and
spin_unlock().
Best wishes,
Jia-Ju Bai
urb->transfer_buffer;
Thus, a concurrency use-after-free bug may occur.
This possible bug is found by a static analysis tool written by myself.
Best wishes,
Jia-Ju Bai
On 2018/12/20 21:46, Johan Hovold wrote:
On Thu, Dec 20, 2018 at 09:41:16PM +0800, Jia-Ju Bai wrote:
In drivers/usb/serial/garmin_gps.c,
the functions garmin_read_bulk_callback() and garmin_write_bulk_callback()
may be concurrently executed.
In garmin_write_bulk_callback() on line 969
ock() are
added in sbefifo_user_release().
Signed-off-by: Jia-Ju Bai
---
drivers/fsi/fsi-sbefifo.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/fsi/fsi-sbefifo.c b/drivers/fsi/fsi-sbefifo.c
index d92f5b87c251..e278a9014b8f 100644
--- a/drivers/fsi/fsi-sbefifo.c
+++ b/drivers/fs
-after-free bug may occur
in HFCPCI_l1hw().
To fix these bugs, the calls to spin_lock_irqsave() and
spin_unlock_irqrestore() are added in HFCPCI_l1hw(), to protect the
access to cs->tx_skb.
Signed-off-by: Jia-Ju Bai
---
drivers/isdn/hisax/hfc_pci.c | 2 ++
1 file changed, 2 insertions(+)
d
ne 691: proto->prepare_tx(..., skb->len, ...)
Thus, a possible concurrency use-after-free bugs may occur.
To fix this bug, the calls to spin_lock_irqsave() and
spin_unlock_irqrestore() are added in arcnet_reply_tasklet() to protect
dev_kfree_skb(lp->outgoing.skb).
Signed-off-by: Jia-Ju Ba
A possible fixing way is to use a lock to protect these accesses.
I am not sure about this way, so I only report the bugs.
Best wishes,
Jia-Ju Bai
ne 691: proto->prepare_tx(..., skb->len, ...)
Thus, a possible concurrency use-after-free bugs may occur.
To fix this bug, the calls to spin_lock_irqsave() and
spin_unlock_irqrestore() are added in arcnet_reply_tasklet() to protect
dev_kfree_skb(lp->outgoing.skb).
Signed-off-by: Jia-Ju Bai
On 2018/9/5 16:29, Jiri Kosina wrote:
On Sat, 1 Sep 2018, Jia-Ju Bai wrote:
The driver may sleep with holding a spinlock.
The function call paths (from bottom to top) in Linux-4.16 are:
[FUNC] hid_alloc_report_buf(GFP_KERNEL)
drivers/hid/hid-core.c, 1435:
hid_alloc_report_buf
".force_die" in the kernel code.
So calling the function pointer in line 573 may cause a null pointer
dereference.
Best wishes,
Jia-Ju Bai
On 2018/7/26 22:12, Greg KH wrote:
On Thu, Jul 26, 2018 at 10:02:22PM +0800, Jia-Ju Bai wrote:
In Linux-4.16, drivers/staging/lustre/lustre/ptlrp/sec.c,
Please look at the 4.18-rc6 release for this file.
In short, nothing to worry about anymore :)
Looks good now :)
Best wishes,
Jia-Ju
in pci_specified_resource_alignment
In fact, I suspect that my report is false, because I always have an
impression that printk() cannot sleep.
But according to the call path, I cannot find where I make the mistake...
So could someone please help me to point the mistake?
Best wishes,
Jia-Ju Bai
d still return 0 in case the flag is set.
If it's only used in three locations, I think it would be better to
simply remove it from vsprintf() and have the three callers call
clk_get_rate() directly.
Agreed.
Best wishes,
Jia-Ju Bai
On 2018/5/31 22:08, Matthew Wilcox wrote:
On Thu, May 31, 2018 at 09:10:07PM +0800, Jia-Ju Bai wrote:
I write a static analysis tool (DSAC), and it finds that kfree() can sleep.
Here is the call path for kfree().
Please look at it *from the bottom up*.
[FUNC] alloc_pages(GFP_KERNEL)
arch
On 2018/5/31 22:09, Christopher Lameter wrote:
On Thu, 31 May 2018, Jia-Ju Bai wrote:
I write a static analysis tool (DSAC), and it finds that kfree() can sleep.
That should not happen.
Here is the call path for kfree().
Please look at it *from the bottom up*.
[FUNC] alloc_pages
tool does not follow the data flow well, and I need to
improve it.
In this case of kfree(), I want know how the data flow leads to my mistake.
Best wishes,
Jia-Ju Bai
uot;.
It's trickier to say for sure when you're not holding a lock...
Jia-Ju Bai is working on this. The tool is available on github. It's
still being improved, though, so perhaps it's not yet ready for eg 0-day
inclusion. He can give more details.
Thanks for Julia's recommendation :)
elf.
I also manually check the kernel code before reporting it.
Signed-off-by: Jia-Ju Bai
---
drivers/bluetooth/bfusb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
index ab090a313a5f..0588639b899a 100644
--- a/drivers/blu
essary. GFP_ATOMIC can be replaced with GFP_KERNEL.
This is found by a static analysis tool named DCNS written by myself.
I also manually check the kernel code before reporting it.
Signed-off-by: Jia-Ju Bai
---
drivers/bluetooth/bluecard_cs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
alysis tool named DCNS written by myself.
I also manually check the kernel code before reporting it.
Signed-off-by: Jia-Ju Bai
---
drivers/bluetooth/bpa10x.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/bpa10x.c b/drivers/bluetooth/bpa10x.c
it.
Signed-off-by: Jia-Ju Bai
---
drivers/bluetooth/btmrvl_sdio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sdio.c
index 6f99b9f3d57f..af36ed6376ad 100644
--- a/drivers/bluetooth/btmrvl_sdio.c
+++ b/drivers
found by a static analysis tool named DCNS written by myself.
I also manually check the kernel code before reporting it.
Signed-off-by: Jia-Ju Bai
---
drivers/bluetooth/btusb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
.
I also manually check the kernel code before reporting it.
Signed-off-by: Jia-Ju Bai
---
drivers/bluetooth/hci_intel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_intel.c b/drivers/bluetooth/hci_intel.c
index 7c166e3b308b..46ace321bf60 100644
code before reporting it.
Signed-off-by: Jia-Ju Bai
---
drivers/bluetooth/hci_qca.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 05ec530b8a3a..021d966b8f08 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b
s is found by a static analysis tool named DCNS written by myself.
I also manually check the kernel code before reporting it.
Signed-off-by: Jia-Ju Bai
---
drivers/firewire/sbp2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/firewire/sbp2.c b/drivers/firewire/sbp2.c
index 6b
by myself.
I also manually check the kernel code before reporting it.
Signed-off-by: Jia-Ju Bai
---
drivers/firmware/memmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/firmware/memmap.c b/drivers/firmware/memmap.c
index 5de3ed29282c..598eb0511097 100644
Thanks for the reply :)
On 2018/7/23 20:24, Stefan Richter wrote:
Adding Cc: LSML
On Jul 23 Jia-Ju Bai wrote:
sbp2_scsi_queuecommand() is only set to .queuecommand of
"struct scsi_host_template", and this function pointer is never called
in atomic context.
As far as
-by: Jia-Ju Bai
---
drivers/firewire/init_ohci1394_dma.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/firewire/init_ohci1394_dma.c
b/drivers/firewire/init_ohci1394_dma.c
index 2cc89ce745c9..6b5a3c12f715 100644
--- a/drivers/firewire/init_ohci1394_dma.c
+++ b/drivers
On 2018/9/3 4:32, Jason Gunthorpe wrote:
On Sat, Sep 01, 2018 at 08:06:59PM +0800, Jia-Ju Bai wrote:
The driver may sleep with holding a spinlock.
The function call paths (from bottom to top) in Linux-4.16 are:
[FUNC] alloc_mad_private(GFP_KERNEL)
drivers/infiniband/core/mad.c, 2264
On 2018/9/11 15:49, Sebastian Andrzej Siewior wrote:
On 2018-09-01 16:12:10 [+0800], Jia-Ju Bai wrote:
wdm_in_callback() is a completion handler function for the USB driver.
So it should not sleep. But it calls service_outstanding_interrupt(),
which calls usb_submit_urb() with GFP_KERNEL
On 2018/9/11 16:40, Gustavo Pimentel wrote:
Hi Jia,
On 02/09/2018 04:38, Jia-Ju Bai wrote:
The driver may sleep with holding a spinlock and in an interupt handler.
The function call paths (from bottom to top) in Linux-4.16 are:
[FUNC] usleep_range
drivers/pci/dwc/pcie-designware.c, 181
Thanks for the reply :)
On 2018/9/11 1:41, Mark Brown wrote:
On Thu, Aug 30, 2018 at 10:34:20AM +0800, Jia-Ju Bai wrote:
My static tool DSAC reports many sleep-in-atomic-context bugs involving
regmap_lock_mutex(), so I wonder whether this function is possible to be
executed in atomic context
hid_alloc_report_buf(GFP_KERNEL)
This bug is found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
v2:
* Make the description more human readable.
Thanks Jiri for good advice.
---
drivers/hid/hid-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers
On 2018/10/9 17:07, Lee Jones wrote:
On Mon, 17 Sep 2018, Jia-Ju Bai wrote:
On 2018/9/17 9:03, Lee Jones wrote:
On Sat, 15 Sep 2018, Jia-Ju Bai wrote:
The driver may sleep in an interrupt handler.
The function call paths (from bottom to top) in Linux-4.17 are:
[FUNC] mutex_lock_nested
(), the bug fix is to remove the
calls to spin-lock and -unlock functions in coh901318_config().
Signed-off-by: Jia-Ju Bai
---
drivers/dma/coh901318.c | 4
1 file changed, 4 deletions(-)
diff --git a/drivers/dma/coh901318.c b/drivers/dma/coh901318.c
index eebaba3d9e78..fd862a478738 100644
().
This bug is found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index
:
_rtw_pwr_wakeup in rtw_set_802_11_disassociate
drivers/staging/rtl8723bs/core/rtw_ioctl_set.c, 501:
spin_lock_bh in rtw_set_802_11_disassociate
To fix these bugs, msleep() is replaced with mdelay().
These bugs are found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
drivers
:
rtw_set_802_11_infrastructure_mode in rtw_wx_set_wap
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c, 988:
spin_lock_bh in rtw_wx_set_wap
To fix this bug, msleep() is replaced with mdelay().
This bug is found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/rtl8188eu/core
] mutex_lock_nested
drivers/mfd/ezx-pcap.c, 244:
mutex_lock_nested in pcap_adc_trigger
drivers/mfd/ezx-pcap.c, 299:
pcap_adc_trigger in pcap_adc_irq (interrupt handler)
These bugs are found by my static analysis tool DSAC.
Best wishes,
Jia-Ju Bai
On 2018/9/17 9:03, Lee Jones wrote:
On Sat, 15 Sep 2018, Jia-Ju Bai wrote:
The driver may sleep in an interrupt handler.
The function call paths (from bottom to top) in Linux-4.17 are:
[FUNC] mutex_lock_nested
drivers/mfd/ezx-pcap.c, 272:
mutex_lock_nested in pcap_adc_irq (interrupt
ank Alexander Duyck for his valuable suggestion.
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/intel/e1000e/netdev.c | 24
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c
b/drivers/net/ethernet/intel/e1000e/ne
On 08/05/2015 06:43 PM, Jeff Kirsher wrote:
Is your intention that this patch replace the existing patch:
http://patchwork.ozlabs.org/patch/502990/
...which is currently in my queue?
Okay, please replace the previous patch.
--
To unsubscribe from this list: send the line "unsubscribe
In error handling code of igb_probe, the memory adapter->shadow_vfta
allocated by kcalloc in igb_sw_init is not freed. So when register_netdev
or igb_init_i2c is failed, a memory leak will occur.
This patch adds kfree to fix it.
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/intel/
ring->head" is only assigned in e1000_configure_tx
in e1000_configure, but it is after e1000e_setup_rx_resources.
This patch adds a check to fix it.
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/intel/e1000e/netdev.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git
The driver lacks the check of nic->cbs_pool after pci_pool_create
in e100_probe. When this function is failed, a null pointer dereference
occurs when pci_pool_alloc uses nic->cbs_pool in e100_alloc_cbs.
This patch adds a check and related error handling code to fix it.
Signed-off-by: Jia-
When pci_dma_mapping_error in e100_xmit_prepare is failed, the skb buffer
allocated by netdev_alloc_skb_ip_align in e100_rx_alloc_skb is not
released, which causes a possible resource leak.
This patch adds error handling code to fix it.
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/intel
When vortex_up is failed, the skb buffers allocated by __netdev_alloc_skb
in vortex_open are not released, which may cause resource leaks.
This bug has been submitted before.
This patch modifies the error handling code to fix it.
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/3com/3c59x.c
When igb_init_interrupt_scheme in igb_sriov_reinit is failed, the lock
acquired by rtnl_lock() is not released, which causes a deadlock.
This patch adds rtnl_unlock() in error handling to fix it.
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/intel/igb/igb_main.c |1 +
1 file changed
;schedule" and "cpu_relax".
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/qla4xxx/ql4_nx.c |8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/qla4xxx/ql4_nx.c b/drivers/scsi/qla4xxx/ql4_nx.c
index e91abb3..1cf5f4a 100644
--- a/drivers/scsi/qla
may sleep
To fixed it, the "GFP_KERNEL" is replaced with "GFP_ATOMIC".
Signed-off-by: Jia-Ju Bai
---
drivers/isdn/i4l/isdn_ppp.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
index d07dd519..8aa15
xed it, the spin lock is released before "i40e_vsi_remove_pvid", and
the lock is acquired again after this function.
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethern
p
To fix it, the "spin_lock" and "spin_unlock" are removed in enic_reset.
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/cisco/enic/enic_main.c |2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c
b/drivers/net/ethernet
p
To fix it, the "spin_lock" and "spin_unlock" are removed
in enic_tx_hang_reset.
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/cisco/enic/enic_main.c |2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c
b/drivers/net/et
The driver may sleep under a spin lock, and the function call path is:
mraid_mm_attach_buf (acquire the lock by spin_lock_irqsave)
pci_pool_alloc(GFP_KERNEL) --> may sleep
To fix it, the "GFP_KERNEL" is replaced with "GFP_ATOMIC".
Signed-off-by: Jia-Ju Bai
---
The driver may sleep under a spin lock, and the function call path is:
ffs_epfile_io (acquire the lock by spin_lock_irq)
usb_ep_alloc_request(GFP_KERNEL) --> may sleep
To fix it, the "GFP_KERNEL" is replaced with "GFP_ATOMIC".
Signed-off-by: Jia-Ju Bai
---
drivers/usb
The driver may sleep under a spin lock, and the function call path is:
iscsit_tpg_enable_portal_group (acquire the lock by spin_lock)
iscsi_update_param_value
kstrdup(GFP_KERNEL) --> may sleep
To fix it, the "GFP_KERNEL" is replaced with "GFP_ATOMIC".
Si
;schedule" and "cpu_relax".
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/qla4xxx/ql4_glbl.h |2 +-
drivers/scsi/qla4xxx/ql4_nx.c |8 +---
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/qla4xxx/ql4_glbl.h b/drivers/scsi/qla4xxx/ql4_glbl.h
index bc
The driver may sleep under a read spin lock, and the function call path is:
send_socklist (acquire the lock by read_lock)
skb_copy(GFP_KERNEL) --> may sleep
To fix it, the "GFP_KERNEL" is replaced with "GFP_ATOMIC".
Signed-off-by: Jia-Ju Bai
---
drivers/isdn/mISDN/st
d-off-by: Jia-Ju Bai
---
drivers/md/bcache/journal.c |1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c
index 1198e53..ad47c36 100644
--- a/drivers/md/bcache/journal.c
+++ b/drivers/md/bcache/journal.c
@@ -724,6 +724,7 @@ static struct
lock.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/lustre/lnet/libcfs/workitem.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/lustre/lnet/libcfs/workitem.c
b/drivers/staging/lustre/lnet/libcfs/workitem.c
index dbc2a9b..cef25c8 100644
d spin_unlock.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/lustre/lnet/libcfs/workitem.c | 11 +--
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/lustre/lnet/libcfs/workitem.c
b/drivers/staging/lustre/lnet/libcfs/workitem.c
index dbc2a9b..7e25eb9 100644
d spin_unlock.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/lustre/lnet/libcfs/workitem.c |6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/lustre/lnet/libcfs/workitem.c
b/drivers/staging/lustre/lnet/libcfs/workitem.c
index dbc2a9b..30d28cd 100644
--- a/dr
d spin_unlock.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/lustre/lnet/libcfs/workitem.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/lustre/lnet/libcfs/workitem.c
b/drivers/staging/lustre/lnet/libcfs/workitem.c
index dbc2a9b..9c530cf 100644
1001 - 1100 of 1251 matches
Mail list logo