lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Fri, 10 Aug 2018 22:03:00 +0800
From:   Jia-Ju Bai <baijiaju1990@...il.com>
To:     Thomas Gleixner <tglx@...utronix.de>, mingo@...hat.com,
        hpa@...or.com, mark.rutland@....com, swood@...hat.com,
        paulmck@...ux.vnet.ibm.com
Cc:     x86@...nel.org, linux-kernel@...r.kernel.org
Subject: [BUG] x86: kernel: nmi: A possible sleep-in-atomic-context bug in
 nmi_handle()

The code may sleep with holding a rcu read lock.

The function call paths (from bottom to top) in Linux-4.16 are:

========== BUG ==========
[FUNC] kmalloc(GFP_KERNEL)
arch/x86/mm/mmio-mod.c, 237: kmalloc in ioremap_trace_core
arch/x86/mm/mmio-mod.c, 289: ioremap_trace_core in mmiotrace_ioremap
arch/x86/mm/ioremap.c, 243: mmiotrace_ioremap in __ioremap_caller
arch/x86/mm/ioremap.c, 367: __ioremap_caller in ioremap_cache
./include/acpi/acpi_io.h, 13: ioremap_cache in acpi_os_ioremap
drivers/acpi/osl.c, 702: acpi_os_ioremap in acpi_os_read_memory
drivers/acpi/apei/apei-base.c, 662: acpi_os_read_memory in apei_read
drivers/acpi/apei/ghes.c, 335: apei_read in ghes_read_estatus
drivers/acpi/apei/ghes.c, 941: ghes_read_estatus in ghes_notify_nmi
arch/x86/kernel/nmi.c, 137: [FUNC_PTR]ghes_notify_nmi in nmi_handle
arch/x86/kernel/nmi.c, 124: rcu_read_lock in nmi_handle

Note that [FUNC_PTR] means a function pointer call is used.

I do not find a good way to fix it, so I only report.
These possible bugs are found by my static analysis tool (DSAC) and 
checked by my code review.


Best wishes,
Jia-Ju Bai

Powered by blists - more mailing lists