| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9bcef57b-1a5c-cd16-8e44-932ef3be08cb@gmail.com>
Date: Thu, 30 Aug 2018 10:34:20 +0800
From: Jia-Ju Bai <baijiaju1990@...il.com>
To: broonie@...nel.org, gregkh@...uxfoundation.org, rafael@...nel.org,
David Howells <dhowells@...hat.com>,
Dan Carpenter <dan.carpenter@...cle.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
linus.walleij@...aro.org
Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: [BUG] [Resend] Possible sleep-in-atomic-context bugs involving
regmap_lock_mutex()
Hello,
My static tool DSAC reports many sleep-in-atomic-context bugs involving
regmap_lock_mutex(), so I wonder whether this function is possible to be
executed in atomic context.
Here are some example bugs and their call paths in Linux-4.16 (from
bottom to top, and [FUNC_PTR] means that there is a function pointer call):
[FUNC] mutex_lock_nested
drivers/base/regmap/regmap.c, 468:
mutex_lock_nested in regmap_lock_mutex
drivers/base/regmap/regmap.c, 2503:
[FUNC_PTR]regmap_lock_mutex in regmap_read
drivers/clk/clk-aspeed.c, 215:
regmap_read in aspeed_clk_is_enabled
drivers/clk/clk-aspeed.c, 230:
aspeed_clk_is_enabled in aspeed_clk_enable
drivers/clk/clk-aspeed.c, 228:
_raw_spin_lock_irqsave in aspeed_clk_enable
[FUNC] mutex_lock_nested
drivers/base/regmap/regmap.c, 468:
mutex_lock_nested in regmap_lock_mutex
drivers/base/regmap/regmap.c, 2821:
[FUNC_PTR]regmap_lock_mutex in regmap_update_bits_base
drivers/clk/clk-aspeed.c, 270:
regmap_update_bits_base in aspeed_clk_disable
drivers/clk/clk-aspeed.c, 267:
_raw_spin_lock_irqsave in aspeed_clk_disable
[FUNC] mutex_lock_nested
drivers/base/regmap/regmap.c, 468:
mutex_lock_nested in regmap_lock_mutex
drivers/base/regmap/regmap.c, 2503:
[FUNC_PTR]regmap_lock_mutex in regmap_read
drivers/char/ipmi/bt-bmc.c, 385:
regmap_read in bt_bmc_irq
[FUNC] mutex_lock_nested
drivers/base/regmap/regmap.c, 468:
mutex_lock_nested in regmap_lock_mutex
drivers/base/regmap/regmap.c, 2821:
[FUNC_PTR]regmap_lock_mutex in regmap_update_bits_base
drivers/gpu/drm/bridge/synopsys/dw-hdmi.c, 213:
regmap_update_bits_base in hdmi_modb
drivers/gpu/drm/bridge/synopsys/dw-hdmi.c, 429:
hdmi_modb in hdmi_set_cts_n
drivers/gpu/drm/bridge/synopsys/dw-hdmi.c, 527:
hdmi_set_cts_n in hdmi_set_clk_regenerator
drivers/gpu/drm/bridge/synopsys/dw-hdmi.c, 524:
spin_lock_irq in hdmi_set_clk_regenerator
[FUNC] mutex_lock_nested
drivers/base/regmap/regmap.c, 468:
mutex_lock_nested in regmap_lock_mutex
drivers/base/regmap/regmap.c, 2503:
[FUNC_PTR]regmap_lock_mutex in regmap_read
drivers/media/platform/atmel/atmel-isc.c, 1603:
regmap_read in isc_interrupt (interrupt handler)
I find the code about the assignment of regmap_lock_mutex():
if ((bus && bus->fast_io) ||
config->fast_io) {
spin_lock_init(&map->spinlock);
map->lock = regmap_lock_spinlock;
map->unlock = regmap_unlock_spinlock;
lockdep_set_class_and_name(&map->spinlock,
lock_key, lock_name);
} else {
mutex_init(&map->mutex);
map->lock = regmap_lock_mutex;
map->unlock = regmap_unlock_mutex;
lockdep_set_class_and_name(&map->mutex,
lock_key, lock_name);
}
But after reading the code, I cannot find the relationship between the
if condition and atomic context.
I think assigning regmap_lock_mutex() to map->lock may be not proper.
I also find some similar previously reported problems about
regmap_lock_mutex():
https://lists.launchpad.net/kernel-packages/msg187700.html
https://community.nxp.com/thread/432071
I am not sure whether my analysis and results are right.
Could someone please give me explanation?
Thanks in advance :)
Best wishes,
Jia-Ju Bai
Powered by blists - more mailing lists