mci_setup_bus(host->slot, true);
struct dw_mci *host = slot->host;
Thus, possible null-pointer dereferences may occur.
To fix these bugs, host->slot is checked before being used.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
driv
On 2019/5/28 21:00, Larry Finger wrote:
On 5/28/19 6:55 AM, Kalle Valo wrote:
Jia-Ju Bai wrote:
*BUG 1:
In rtl_pci_probe(), when rtlpriv->cfg->ops->init_sw_vars() fails,
rtl_deinit_core() in the error handling code is executed.
rtl_deinit_core() calls rtl_free_entries_from_
().
These data races are found by our concurrency fuzzer.
Signed-off-by: Jia-Ju Bai
---
fs/jfs/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/super.c b/fs/jfs/super.c
index b2dc4d1f9dcc..8c80397df336 100644
--- a/fs/jfs/super.c
+++ b/fs/jfs/super.c
@@ -1027,13
->log->gclock is used in
metapage_writepage().
This data race is found by our concurrency fuzzer.
Signed-off-by: Jia-Ju Bai
---
fs/jfs/jfs_metapage.c | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/fs/jfs/jfs_metapage.c b/fs/jfs/jfs_metapage.c
index a2f5338a5ea1..026c
ound by our concurrency fuzzer.
Signed-off-by: Jia-Ju Bai
---
fs/jfs/jfs_txnmgr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index c8ce7f1bc594..a1f124aad2e0 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -415,7 +415,9 @@ tid_t txBeg
ency fuzzer.
Signed-off-by: Jia-Ju Bai
---
fs/xfs/xfs_icache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c
index 8bf1d15be3f6..a2de08222ff5 100644
--- a/fs/xfs/xfs_icache.c
+++ b/fs/xfs/xfs_icache.c
@@ -229,9 +229,9 @@ xfs_inode_set_rec
ents are
used before this array is unmapped.
Because I am not familiar with streaming DMA mapping, I wonder whether
these violations are real?
If they are real, what problems can they cause?
Thanks a lot :)
Best wishes,
Jia-Ju Bai
iable at the beginning of esas2r_process_vda_ioctl(),
and this variable replaces each use of vi->function in the function.
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/esas2r/esas2r_vda.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/scsi/esas2r/
commit message?
Thanks, Markus.
I am not sure how to add the tag "Fixes"...
I need to find which previous commit add the code about txBegin()?
Best wishes,
Jia-Ju Bai
"git blame" to find the last change on the related source code.
I will send V2 patches, thanks again :)
Best wishes,
Jia-Ju Bai
kernel.
Thus, adding the tag "Fixes" of this commit should be useless...
Best wishes,
Jia-Ju Bai
r.
Thus use the spin lock "mp->log->gclock" for the assignment of
the data structure member "log->cflag" to a local variable
in this function implementation.
Signed-off-by: Jia-Ju Bai
---
v2:
* Change the description.
Thank Markus Elfring for good advice.
---
fs
"gclock" for the resetting of five
data structure members in this function implementation.
Signed-off-by: Jia-Ju Bai
---
v2:
* Change the description.
Thank Markus Elfring for good advice.
---
fs/jfs/jfs_txnmgr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/jfs/jfs_txnmg
/jfs_metapage.c | 11 +--
I suggest to omit the triple dashes before this information.
Okay, thanks.
Best wishes,
Jia-Ju Bai
MA local variable "index" at the beginning of
ttusb_dec_handle_irq(), and then this variable replaces each use of
buffer[4] in the function.
Signed-off-by: Jia-Ju Bai
---
drivers/media/usb/ttusb-dec/ttusb_dec.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/
r.
Thus use the spin lock "mp->log->gclock" for the assignment of
the data structure member "log->cflag" to a local variable
in this function implementation.
Signed-off-by: Jia-Ju Bai
---
v2:
* Change the description.
Thank Markus Elfring for good advice.
fs
"gclock" for the resetting of five
data structure members in this function implementation.
Signed-off-by: Jia-Ju Bai
---
v2:
* Change the description.
Thank Markus Elfring for good advice.
fs/jfs/jfs_txnmgr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/jfs/jfs_txnmg
will resend my patches for jfs.
Best wishes,
Jia-Ju Bai
jfs_lazycommit().
Signed-off-by: Jia-Ju Bai
---
v2:
* Change the description.
Thank Markus Elfring for good advice.
fs/jfs/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/super.c b/fs/jfs/super.c
index b2dc4d1f9dcc..8c80397df336 100644
--- a/fs/jfs/super.c
+++ b
ring that DMA can fail or be attacked, I think that it is
dangerous to
use a DMA value (or any value tainted by it) as an array index or a
control-flow
condition. However, I have found many such dangerous cases in Linux
device drivers
through my static-analysis tool and code review.
I am not sure whether my opinion is correct, so I want to listen to your
points of view.
Thanks in advance :)
Best wishes,
Jia-Ju Bai
ck_irq(>gclock); // LOGGC_LOCK
-
+ smp_mb__after_spinlock();
tblk->flag |= tblkGC_COMMITTED;
-
+ smp_wmb();
if (tblk->flag & tblkGC_READY)
log->gcrtc--;
I think this patch is okay.
Thanks a lot, Hillf :)
Best wishes,
Jia-Ju Bai
race, the spinlock cache->lock is used to protect the
access to cache->cached in btrfs_block_group_done().
Signed-off-by: Jia-Ju Bai
---
fs/btrfs/block-group.h | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/fs/btrfs/block-group.h b/fs/btrfs/block-group.h
in
chronized, and thus
data races for this value can occur.
These data races were found and actually reproduced by our concurrency
fuzzer.
To fix these races, the spinlock mapping->private_lock is used to
protect the accesses to mapping->writeback_index.
Signed-off-by: Jia-Ju Bai
---
fs/btrfs/
re found and actually reproduced by our conccurency
fuzzer.
To fix these races, the spinlock delayed_refs_rsv->lock is used to
protect the access to delayed_refs_rsv->full in start_transaction().
Signed-off-by: Jia-Ju Bai
---
fs/btrfs/transaction.c | 9 +++--
1 file changed, 7 insertio
actually reproduced by our conccurency fuzzer.
To fix this race, the spinlock delayed_rsv->lock is used to
protect the access to delayed_rsv->full in btrfs_block_rsv_release().
Signed-off-by: Jia-Ju Bai
---
fs/btrfs/block-rsv.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a
On 2020/5/9 18:53, Nikolay Borisov wrote:
On 9.05.20 г. 8:20 ч., Jia-Ju Bai wrote:
The functions btrfs_block_group_done() and caching_thread() are
concurrently executed at runtime in the following call contexts:
Thread 1:
btrfs_sync_file()
start_ordered_ops
Hi Greg,
Thanks for the reply :)
On 2020/5/6 2:10, Greg KH wrote:
On Tue, May 05, 2020 at 10:21:10PM +0800, Jia-Ju Bai wrote:
In this case, "buffer[4] - 1 < ARRAY_SIZE(rc_keys)"
can be first satisfied, and then the value of buffer[4] can be changed
to a large number, causing a bu
On 2020/5/6 19:07, Greg KH wrote:
On Wed, May 06, 2020 at 06:13:01PM +0800, Jia-Ju Bai wrote:
I have never modified DMA memory in the real world, but an attacker can use
a malicious device to do this.
There is a video that shows how to use the Inception tool to perform DMA
attacks and login
On 2020/5/6 23:52, Greg KH wrote:
On Wed, May 06, 2020 at 11:30:22PM +0800, Jia-Ju Bai wrote:
On 2020/5/6 19:07, Greg KH wrote:
On Wed, May 06, 2020 at 06:13:01PM +0800, Jia-Ju Bai wrote:
I have never modified DMA memory in the real world, but an attacker can use
a malicious device to do
On 2020/5/7 1:43, Greg KH wrote:
On Thu, May 07, 2020 at 12:48:47AM +0800, Jia-Ju Bai wrote:
Yes, I agree that this issue is not new, because DMA attacks are old
problems.
But I am a little surprised that many current drivers are still vulnerable
to DMA attacks.
Given that the attack vector
On 2020/5/7 15:52, Greg KH wrote:
On Thu, May 07, 2020 at 01:15:22PM +0800, Jia-Ju Bai wrote:
At present, I only detect the cases that a DMA value *directly* taints array
index, loop condition and important kernel-interface calls (such as
request_irq()).
In this one driver, I only find two
Thanks for the reply, Sean :)
On 2020/5/7 16:43, Sean Young wrote:
On Tue, May 05, 2020 at 10:21:10PM +0800, Jia-Ju Bai wrote:
Signed-off-by: Jia-Ju Bai
---
drivers/media/usb/ttusb-dec/ttusb_dec.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/media
In ttusb_dec_handle_irq(), buffer[4] is continuously read from memory
three times, without being modified.
To reduce the number of memory reads, buffer[4] is first assigned to a
local variable index, and then index is used to replace buffer[4].
Signed-off-by: Jia-Ju Bai
---
drivers/media/usb
On 2020/5/13 5:56, David Sterba wrote:
On Sat, May 09, 2020 at 01:27:01PM +0800, Jia-Ju Bai wrote:
The function extent_write_cache_pages is concurrently executed with
itself at runtime in the following call contexts:
Thread 1:
btrfs_sync_file()
start_ordered_ops
On 2020/5/13 6:18, David Sterba wrote:
On Sat, May 09, 2020 at 01:34:31PM +0800, Jia-Ju Bai wrote:
The functions btrfs_block_rsv_release() and
btrfs_update_delayed_refs_rsv() are concurrently executed at runtime in
the following call contexts:
Thread 1:
btrfs_file_write_iter
od advice.
Signed-off-by: Jia-Ju Bai
---
fs/reiserfs/journal.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c
index 4517a1394c6f..11155b8513db 100644
--- a/fs/reiserfs/journal.c
+++ b/fs/reiserfs/journal.c
@@ -3444,9 +3444,8
alysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/media/platform/qcom/venus/vdec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/platform/qcom/venus/vdec.c
b/drivers/media/platform/qcom/venus/vdec.c
index e1f998656c07..12c31551f191
ked before being used.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/dma/mv_xor.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/dma/mv_xor.c b/drivers/dma/mv_xor.c
index 0ac8e7b34e12..08c0b2a9eb32 100
uot; is used instead.
Signed-off-by: Jia-Ju Bai
---
drivers/dma/stm32-mdma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/stm32-mdma.c b/drivers/dma/stm32-mdma.c
index d6e919d3936a..1311de74bfdd 100644
--- a/drivers/dma/stm32-mdma.c
+++ b/drivers/dma/stm32-mdma.
ool STCheck written by us.
I do not know how to correctly fix this bug, so I only report it.
Best wishes,
Jia-Ju Bai
found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
net/sched/sch_codel.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c
index 25ef172c23df..30169b3adbbb 100644
--- a/net/sched/sch_codel.c
+++ b/net
occur.
To fix this bug, tpg->tpg_tiqn is checked before being used.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/target/iscsi/iscsi_target_tpg.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/dr
si_done(cmd->scmd);
on line 3343:
cmd->scmd->scsi_done(cmd->scmd);
Thus, possible null-pointer dereferences may occur.
To fix these bugs, cmd->scmd is checked before being used.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
null-pointer dereference may occur.
To fix this bug, kfree(target) is called and NULL is returned when
kzalloc() on line 2855 fails.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/ath/ath6kl/htc_mbox.c | 4 ++--
1 file changed,
dereference may occur.
To fix this bug, mpt3sas_phy->phy is checked before being used.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/mpt3sas/mpt3sas_transport.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/dr
nd by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
fs/xfs/scrub/dabtree.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/xfs/scrub/dabtree.c b/fs/xfs/scrub/dabtree.c
index 94c4f1de1922..33ff90c0dd70 100644
--- a/fs/xfs/scrub/dabtree.c
++
ur.
These bugs are found by a static analysis tool STCheck written by us.
I do not know how to correctly fix these bugs, so I only report them.
Best wishes,
Jia-Ju Bai
-Ju Bai
On 2019/7/29 12:20, Darrick J. Wong wrote:
On Mon, Jul 29, 2019 at 11:24:01AM +0800, Jia-Ju Bai wrote:
In xchk_da_btree_block_check_sibling(), there is an if statement on
line 274 to check whether ds->state->altpath.blk[level].bp is NULL:
if (ds->state->altpath.blk[level].
ull-pointer dereference may occur.
To fix this bug, skb->end is used when skb is not NULL.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
Fixes tag, please?
Sorry, I do not know what "fixes tag" means...
I just find a poss
is NULL:
if (skb)
When skb is NULL, it is used on line 77:
prefetch(>end);
Thus, a possible null-pointer dereference may occur.
To fix this bug, skb->end is used when skb is not NULL.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
found by a static analysis tool STCheck written by us.
Fixes: 79bdc4c862af ("codel: generalize the implementation")
Signed-off-by: Jia-Ju Bai
---
v2:
* Add a fix tag.
Thank Jiri Pirko for helpful advice.
---
net/sched/sch_codel.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
On 2019/7/29 16:03, Steffen Klassert wrote:
On Mon, Jul 29, 2019 at 11:43:49AM +0800, Jia-Ju Bai wrote:
In xfrm_policy(), the while loop on lines 3802-3830 ends when dst->xfrm is
NULL.
We don't have a xfrm_policy() function, and as said already the
line numbers does not help much as l
it is not NULL.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/mac80211_hwsim.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/mac80211_hwsim.c
b/drivers/net/wireless
found by a static analysis tool STCheck written by us.
Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
Signed-off-by: Jia-Ju Bai
---
v2:
* Add a fix tag.
Thank Jiri Pirko for helpful advice.
v3:
* Use a correct fix tag.
Thank Jiri Pirko for helpful advice.
---
net/sched/sch_codel.c |
eginning:
commit 76e3cc126bb223013a6b9a0e2a51238d1ef2e409
Author: Eric Dumazet
Date: Thu May 10 07:51:25 2012 +
codel: Controlled Delay AQM
Please adjust "Fixes:".
Thanks for the advice :)
I have sent a v3 patch.
Best wishes,
Jia-Ju Bai
gnl_entry);
INIT_LIST_HEAD(>list);
Thus, possible null-pointer dereferences may occur.
To fix these bugs, qla2x00_alloc_fcport() directly returns NULL
in the error handling code.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/
() directly returns FAILED
when rn is NULL.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/csiostor/csio_scsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/csiostor/csio_scsi.c
b/drivers/scsi/csiostor
rence may occur.
To fix this bug, musb->hcd is checked before calling
musb_host_poke_root_hub().
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/usb/musb/musb_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git
le null-pointer dereference may occur.
To fix this bug, led_trigger_event(>last_triggered->trigger,
LED_OFF) is called when phy->last_triggered is not NULL.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/net/phy/phy_led_triggers.c
not know how to correctly fix this bug, so I only report it.
Best wishes,
Jia-Ju Bai
dereferences may occur.
To avoid these bugs, when these variables are not assigned,
wlc_phy_radio_init_2056() directly returns.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net
0), ...)
Thus, a possible null-pointer dereference may occur.
To fix this bug, dev->udev is checked before calling msi2500_ctrl_msg().
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/media/usb/msi2500/msi2500.c | 2 +-
1 file changed,
ip6_rt_put(rt) is called when rt is not NULL.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/net/geneve.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index cb2ea8facd8d
) and checked by
my code review.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index b26533983864
static analysis tool (DSAC-2) and checked by
my code review.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/rtl8188eu/core/rtw_cmd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_cmd.c
b/drivers/staging/rtl8188eu/core/rtw_cmd.c
index
On 2018/6/20 17:56, Dan Carpenter wrote:
On Wed, Jun 20, 2018 at 05:50:16PM +0800, Jia-Ju Bai wrote:
The driver may sleep with holding a spinlock.
The function call paths (from bottom to top) in Linux-4.16.7 are:
[FUNC] kzalloc(GFP_KERNEL)
drivers/staging/rtl8723bs/os_dep/ioctl_linux.c, 323
static analysis tool (DSAC-2) and checked by my
code review.
I do not know how to correctly fix this bug, so I just report them.
Maybe cgwb_kill() should not be called with holding a spinlock.
Best wishes,
Jia-Ju Bai
with GFP_ATOMIC.
This bug is found by my static analysis tool (DSAC-2) and checked by
my code review.
Signed-off-by: Jia-Ju Bai
---
mm/mempool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/mempool.c b/mm/mempool.c
index 5c9dce34719b..d33bd5d622e7 100644
--- a/mm
/rtmutex.c, 1249: _raw_spin_lock_irqsave in rt_mutex_slowlock
This bug is found by my static analysis tool (DSAC-2) and checked by my
code review.
I do not know how to correctly fix this bug, so I just report them.
Best wishes,
Jia-Ju Bai
409: spin_lock in kcov_ioctl
This bug is found by my static analysis tool (DSAC-2) and checked by my
code review.
I do not know how to correctly fix this bug, so I just report them.
Best wishes,
Jia-Ju Bai
On 2018/6/21 11:38, Matthew Wilcox wrote:
On Thu, Jun 21, 2018 at 11:07:14AM +0800, Jia-Ju Bai wrote:
The kernel may sleep with holding a spinlock.
The function call path (from bottom to top) in Linux-4.16.7 is:
[FUNC] remove_element(GFP_KERNEL)
mm/mempool.c, 250: remove_element
On 2018/6/21 11:43, Al Viro wrote:
On Thu, Jun 21, 2018 at 11:20:59AM +0800, Jia-Ju Bai wrote:
The kernel may sleep with holding a spinlock.
The function call path (from bottom to top) in Linux-4.16.7 is:
[FUNC] vfree --> can sleep
kernel/kcov.c, 237: vfree in kcov_put
kernel/kcov.c,
The argument "gfp_t flags" is not used in kasan_unpoison_element()
and remove_element(), so remove it.
Signed-off-by: Jia-Ju Bai
---
mm/mempool.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/mm/mempool.c b/mm/mempool.c
index 5c9dce34719b..3076ab3f7
.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/rtlwifi/halmac/rtl_halmac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtlwifi/halmac/rtl_halmac.c
b/drivers/staging/rtlwifi/halmac/rtl_halmac.c
index 66f0a6dfc52c..e921a62e72a3 100644
--- a/drivers/staging
keyspan_probe() is never called in atomic context.
It calls usb_alloc_coherent() with GFP_ATOMIC, which is not necessary.
GFP_ATOMIC can be replace with GFP_KERNEL.
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
drivers/input/misc
powermate_alloc_buffers() is never called in atomic context.
It calls usb_alloc_coherent() with GFP_ATOMIC, which is not necessary.
GFP_ATOMIC can be replaced with GFP_KERNEL.
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
drivers/input/misc
usb_probe() is never called in atomic context.
It calls usb_alloc_coherent() with GFP_ATOMIC, which is not necessary.
GFP_ATOMIC can be replaced with GFP_KERNEL.
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
drivers/input/misc/yealink.c | 4
atp_open(), atp_recover() and atp_resume() are never
called in atomic context.
They call usb_submit_urb() with GFP_ATOMIC, which is not necessary.
GFP_ATOMIC can be replaced with GFP_KERNEL.
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
aiptek_probe() is never called in atomic context.
It calls usb_alloc_coherent() with GFP_ATOMIC, which is not necessary.
GFP_ATOMIC can be replaced with GFP_KERNEL.
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
drivers/input/tablet/aiptek.c
wdt87xx_resume() is never called in atomic context.
It calls mdelay() to busily wait, which is not necessary.
mdelay() can be replaced with msleep().
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
drivers/input/touchscreen/wdt87xx_i2c.c | 2
sr9700_bind() is never called in atomic context.
It calls mdelay() to busily wait, which is not necessary.
mdelay() can be replaced with msleep().
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
drivers/net/usb/sr9700.c | 2 +-
1 file changed
written by myself.
Signed-off-by: Jia-Ju Bai
---
sound/usb/quirks.c | 14 +++---
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index acbeb52f6fd6..9eed650c54d4 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1181,7 +1181,7
hw_pll_init(), hw_reset_dac() and hw_card_init() are never
called in atomic context.
They calls mdelay() to busily wait, which is not necessary.
mdelay() can be replaced with msleep().
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
sound
hw_pll_init(), hw_dac_stop(), hw_dac_start() and hw_adc_init()
are never called in atomic context.
They call mdelay() to busily wait, which is not necessary.
mdelay() can be replaced with msleep().
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
reset() and init_display() are never called in atomic context.
They call mdelay() to busily wait, which is not necessary.
mdelay() can be replaced with msleep().
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/fbtft
On 2018/7/27 18:34, Andy Shevchenko wrote:
On Fri, Jul 27, 2018 at 12:21 PM, Jia-Ju Bai wrote:
reset() and init_display() are never called in atomic context.
They call mdelay() to busily wait, which is not necessary.
mdelay() can be replaced with msleep().
gpio_set_value(par
pcmcia_fixup_iowidth() and pcmcia_enable_device() are
never called in atomic context.
They call mdelay() to busily wait, which is not necessary.
mdelay() can be replaced with msleep().
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
drivers
gpio_poweroff_do_poweroff() is never called in atomic context.
It calls mdelay() to busily wait, which is not necessary.
mdelay() can be replaced with msleep().
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
drivers/power/reset/gpio
piix4_poweroff() is never called in atomic context.
It calls mdelay() to busily wait, which is not necessary.
mdelay() can be replaced with msleep() and usleep_range().
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
drivers/power/reset/piix4
syscon_poweroff() is never called in atomic context.
It calls mdelay() to busily wait, which is not necessary.
mdelay() can be replaced with msleep().
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
drivers/power/reset/syscon-poweroff.c | 2
omap_rtc_power_off() is never called in atomic context.
It calls mdelay() to busily wait, which is not necessary.
mdelay() can be replaced with msleep().
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
drivers/rtc/rtc-omap.c | 2 +-
1 file
mrst_read_time() is never called in atomic context.
It calls mdelay() to busily wait, which is not necessary.
mdelay() can be replaced with msleep().
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
drivers/rtc/rtc-mrst.c | 2 +-
1 file
o fix these bugs, the original calls to mutex_lock(>conf_mutex) and
mutex_unlock(>conf_mutex) are moved to the places, which can
protect the accesses to the shared variable.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/st/cw1200/scan.c | 13 ++---
1 file changed, 6 insertions(+)
spinlock, but the free operation
is not protected by this spinlock, thus a concurrency use-after-free bug
may occur.
To fix this bug, the spin-lock and spin-unlock function calls in
r8a66597_endpoint_disable() are moved to protect the free operation.
Signed-off-by: Jia-Ju Bai
---
drivers/usb/host/r8a
On 2018/12/18 19:11, Greg KH wrote:
On Tue, Dec 18, 2018 at 06:00:20PM +0800, Jia-Ju Bai wrote:
The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may
be concurrently executed.
The two functions both access a possible shared variable "hep->hcpriv".
This sh
spinlock, but the free operation
is not protected by this spinlock, thus a concurrency use-after-free bug
may occur.
To fix this bug, the spin-lock and spin-unlock function calls in
r8a66597_endpoint_disable() are moved to protect the free operation.
Signed-off-by: Jia-Ju Bai
---
v2:
* Add __acquir
] means a function pointer call is used.
I do not find a good way to fix it, so I only report.
These possible bugs are found by my static analysis tool (DSAC) and
checked by my code review.
Best wishes,
Jia-Ju Bai
way to fix, so I only report.
This is found by my static analysis tool (DSAC).
Best wishes,
Jia-Ju Bai
,
Jia-Ju Bai
901 - 1000 of 1251 matches
Mail list logo