lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <1513085096-28422-1-git-send-email-baijiaju1990@gmail.com> Date: Tue, 12 Dec 2017 21:24:56 +0800 From: Jia-Ju Bai <baijiaju1990@...il.com> To: gregkh@...uxfoundation.org, jslaby@...e.com, acme@...ectiva.com.br Cc: linux-kernel@...r.kernel.org, Jia-Ju Bai <baijiaju1990@...il.com> Subject: [PATCH] tty/isicom: Fix a possible sleep-in-atomic bug in WaitTillCardIsFree The driver may sleep under a spinlock. The function call paths are: isicom_activate (acquire the spinlock) isicom_setup_board drop_dtr_rts WaitTillCardIsFree msleep --> may sleep isicom_set_termios isicom_config_port drop_dtr WaitTillCardIsFree msleep --> may sleep isicom_tiocmset drop_dtr WaitTillCardIsFree msleep --> may sleep Though "in_atomic" is used to check atomic context, but it is not recommended to use in driver code (see include/linux/preempt.h). To fix it, only using mdelay instead. This bug is found by my static analysis tool(DSAC) and checked by my code review. Signed-off-by: Jia-Ju Bai <baijiaju1990@...il.com> --- drivers/tty/isicom.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/drivers/tty/isicom.c b/drivers/tty/isicom.c index 015686f..bdd3027 100644 --- a/drivers/tty/isicom.c +++ b/drivers/tty/isicom.c @@ -219,13 +219,9 @@ struct isi_port { static int WaitTillCardIsFree(unsigned long base) { unsigned int count = 0; - unsigned int a = in_atomic(); /* do we run under spinlock? */ while (!(inw(base + 0xe) & 0x1) && count++ < 100) - if (a) - mdelay(1); - else - msleep(1); + mdelay(1); return !(inw(base + 0xe) & 0x1); } -- 1.7.9.5
Powered by blists - more mailing lists