[BUG] rtl8188eu: Some possible sleep-in-atomic bugs in ips_leave

From: Jia-Ju Bai
Date: Sun Oct 08 2017 - 08:19:42 EST

Next message: Krzysztof Kozlowski: "[PATCH] dt-bindings: samsung: Document binding for new Odroid HC1 board"
Previous message: Richard Cochran: "Re: [PATCH net-next RFC 2/9] net: dsa: mv88e6xxx: expose switch time as a PTP hardware clock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

CC to mailing list.

On 2017/10/8 20:13, Jia-Ju Bai wrote:

The driver may sleep under a spinlock when calling the function "ips_leave", which causes some possible sleep-in-atomic bugs.
Here are several examples:
rtw_set_802_11_disassociate (acquire the spinlock)
_rtw_pwr_wakeup
ips_leave
mutex_lock --> may sleep

rtw_set_802_11_disassociate (acquire the spinlock)
_rtw_pwr_wakeup
ips_leave
rtw_ips_pwr_up
ips_netdrv_open
rtw_hal_init
rtl8188eu_hal_init
rtl88eu_download_fw
request_firmware --> may sleep
kmalloc --> may sleep

rtw_set_802_11_disassociate (acquire the spinlock)
_rtw_pwr_wakeup
ips_leave
rtw_set_key
kzalloc(GFP_KERNEL) --> may sleep

All these bugs are caused by that "ips_leave" calls some sleep-able functions.
A possible fix is to release the spinlock before calling "ips_leave", and acquire the spinlock again after it.

These bugs are found by my static analysis tool and my code review.

Thanks,
Jia-Ju Bai

Next message: Krzysztof Kozlowski: "[PATCH] dt-bindings: samsung: Document binding for new Odroid HC1 board"
Previous message: Richard Cochran: "Re: [PATCH net-next RFC 2/9] net: dsa: mv88e6xxx: expose switch time as a PTP hardware clock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]