Re: [BUG] kernel: kcov: a possible sleep-in-atomic-context bug in kcov_ioctl()

[Jia-Ju Bai]

On 2019/12/17 21:13, Dmitry Vyukov wrote:
> On Tue, Dec 17, 2019 at 2:11 PM Jia-Ju Bai <baijiaju1990@xxxxxxxxx> wrote:
> > On 2019/12/17 21:02, Dmitry Vyukov wrote:
> > > On Tue, Dec 17, 2019 at 1:56 PM Jia-Ju Bai <baijiaju1990@xxxxxxxxx> wrote:
> > > > The kernel may sleep while holding a spinlock.
> > > > The function call path (from bottom to top) in Linux 4.19 is:
> > > >
> > > > kernel/kcov.c, 237:
> > > >        vfree in kcov_put
> > > > kernel/kcov.c, 413:
> > > >        kcov_put in kcov_ioctl_locked
> > > > kernel/kcov.c, 427:
> > > >        kcov_ioctl_locked in kcov_ioctl
> > > > kernel/kcov.c, 426:
> > > >        spin_lock in kcov_ioctl
> > > >
> > > > vfree() can sleep at runtime.
> > > >
> > > > I am not sure how to properly fix this possible bug, so I only report it.
> > > > A possible way is to replace vfree() with kfree(), and replace related
> > > > calls to vmalloc() with kmalloc().
> > > >
> > > > This bug is found by a static analysis tool STCheck written by myself.
> > > Hi Jia-Ju,
> > >
> > > Are you sure kcov_ioctl_locked can really release the descriptor? It
> > > happens in the context of ioctl, which means there is an open
> > > reference for the file descriptor. So ioctl should not do vfree I
> > > would assume.
> > Thanks for the reply :)
> > I am not sure, because I am not familiar with kcov.
> > But looking at the code, if the reference count of kcov is 1, vfree()
> > could be called.
> That kcov_put should never call vfree. We still hold reference
> associated with the file, which will be released in kcov_close.

Okay, thanks for the explanation :)
My static analysis tool does not know this fact, so it reports the false 
bug, sorry...


Best wishes,
Jia-Ju Bai