lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri,  9 Sep 2016 23:43:35 +0300
From:   Alexey Khoroshilov <khoroshilov@...ras.ru>
To:     Alexandre Bounine <alexandre.bounine@....com>
Cc:     Alexey Khoroshilov <khoroshilov@...ras.ru>,
        Matt Porter <mporter@...nel.crashing.org>,
        linux-kernel@...r.kernel.org, ldv-project@...uxtesting.org
Subject: [PATCH] rapidio: avoid GFP_KERNEL in atomic context in riocm_send_close()

riocm_send_close() is called from rio_cm_shutdown() and riocm_ch_close().
The first site is within section protected by idr_lock spinlock,
while the second one is not in atomic context.

The patch adds gfp_t argument to allocate memory appropriately to
the corresponding context.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@...ras.ru>
---
 drivers/rapidio/rio_cm.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/rapidio/rio_cm.c b/drivers/rapidio/rio_cm.c
index 3fa17ac8df54..ff5ed8970309 100644
--- a/drivers/rapidio/rio_cm.c
+++ b/drivers/rapidio/rio_cm.c
@@ -1395,7 +1395,7 @@ static void riocm_ch_free(struct kref *ref)
 	complete(&ch->comp_close);
 }
 
-static int riocm_send_close(struct rio_channel *ch)
+static int riocm_send_close(struct rio_channel *ch, gfp_t gfp)
 {
 	struct rio_ch_chan_hdr *hdr;
 	int ret;
@@ -1404,7 +1404,7 @@ static int riocm_send_close(struct rio_channel *ch)
 	 * Send CH_CLOSE notification to the remote RapidIO device
 	 */
 
-	hdr = kzalloc(sizeof(*hdr), GFP_KERNEL);
+	hdr = kzalloc(sizeof(*hdr), gfp);
 	if (hdr == NULL)
 		return -ENOMEM;
 
@@ -1450,7 +1450,7 @@ static int riocm_ch_close(struct rio_channel *ch)
 
 	state = riocm_exch(ch, RIO_CM_DESTROYING);
 	if (state == RIO_CM_CONNECTED)
-		riocm_send_close(ch);
+		riocm_send_close(ch, GFP_KERNEL);
 
 	complete_all(&ch->comp);
 
@@ -2254,7 +2254,7 @@ static int rio_cm_shutdown(struct notifier_block *nb, unsigned long code,
 	idr_for_each_entry(&ch_idr, ch, i) {
 		riocm_debug(EXIT, "close ch %d", ch->id);
 		if (ch->state == RIO_CM_CONNECTED)
-			riocm_send_close(ch);
+			riocm_send_close(ch, GFP_ATOMIC);
 	}
 	spin_unlock_bh(&idr_lock);
 
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ