Re: [BUG] kernel: kcov: a possible sleep-in-atomic-context bug in kcov_ioctl()

[Jia-Ju Bai]

On 2019/12/17 21:02, Dmitry Vyukov wrote:
> On Tue, Dec 17, 2019 at 1:56 PM Jia-Ju Bai <baijiaju1990@xxxxxxxxx> wrote:
> > The kernel may sleep while holding a spinlock.
> > The function call path (from bottom to top) in Linux 4.19 is:
> >
> > kernel/kcov.c, 237:
> >       vfree in kcov_put
> > kernel/kcov.c, 413:
> >       kcov_put in kcov_ioctl_locked
> > kernel/kcov.c, 427:
> >       kcov_ioctl_locked in kcov_ioctl
> > kernel/kcov.c, 426:
> >       spin_lock in kcov_ioctl
> >
> > vfree() can sleep at runtime.
> >
> > I am not sure how to properly fix this possible bug, so I only report it.
> > A possible way is to replace vfree() with kfree(), and replace related
> > calls to vmalloc() with kmalloc().
> >
> > This bug is found by a static analysis tool STCheck written by myself.
> Hi Jia-Ju,
>
> Are you sure kcov_ioctl_locked can really release the descriptor? It
> happens in the context of ioctl, which means there is an open
> reference for the file descriptor. So ioctl should not do vfree I
> would assume.

Thanks for the reply :)
I am not sure, because I am not familiar with kcov.
But looking at the code, if the reference count of kcov is 1, vfree() 
could be called.


Best wishes,
Jia-Ju Bai