lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 30 Aug 2018 10:34:20 +0800
From:   Jia-Ju Bai <baijiaju1990@...il.com>
To:     broonie@...nel.org, gregkh@...uxfoundation.org, rafael@...nel.org,
        David Howells <dhowells@...hat.com>,
        Dan Carpenter <dan.carpenter@...cle.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        linus.walleij@...aro.org
Cc:     Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: [BUG] [Resend] Possible sleep-in-atomic-context bugs involving
 regmap_lock_mutex()

Hello,

My static tool DSAC reports many sleep-in-atomic-context bugs involving 
regmap_lock_mutex(), so I wonder whether this function is possible to be 
executed in atomic context.

Here are some example bugs and their call paths in Linux-4.16 (from 
bottom to top, and [FUNC_PTR] means that there is a function pointer call):

[FUNC] mutex_lock_nested
drivers/base/regmap/regmap.c, 468:
     mutex_lock_nested in regmap_lock_mutex
drivers/base/regmap/regmap.c, 2503:
     [FUNC_PTR]regmap_lock_mutex in regmap_read
drivers/clk/clk-aspeed.c, 215:
     regmap_read in aspeed_clk_is_enabled
drivers/clk/clk-aspeed.c, 230:
     aspeed_clk_is_enabled in aspeed_clk_enable
drivers/clk/clk-aspeed.c, 228:
     _raw_spin_lock_irqsave in aspeed_clk_enable

[FUNC] mutex_lock_nested
drivers/base/regmap/regmap.c, 468:
     mutex_lock_nested in regmap_lock_mutex
drivers/base/regmap/regmap.c, 2821:
     [FUNC_PTR]regmap_lock_mutex in regmap_update_bits_base
drivers/clk/clk-aspeed.c, 270:
     regmap_update_bits_base in aspeed_clk_disable
drivers/clk/clk-aspeed.c, 267:
     _raw_spin_lock_irqsave in aspeed_clk_disable

[FUNC] mutex_lock_nested
drivers/base/regmap/regmap.c, 468:
     mutex_lock_nested in regmap_lock_mutex
drivers/base/regmap/regmap.c, 2503:
     [FUNC_PTR]regmap_lock_mutex in regmap_read
drivers/char/ipmi/bt-bmc.c, 385:
     regmap_read in bt_bmc_irq

[FUNC] mutex_lock_nested
drivers/base/regmap/regmap.c, 468:
     mutex_lock_nested in regmap_lock_mutex
drivers/base/regmap/regmap.c, 2821:
     [FUNC_PTR]regmap_lock_mutex in regmap_update_bits_base
drivers/gpu/drm/bridge/synopsys/dw-hdmi.c, 213:
     regmap_update_bits_base in hdmi_modb
drivers/gpu/drm/bridge/synopsys/dw-hdmi.c, 429:
     hdmi_modb in hdmi_set_cts_n
drivers/gpu/drm/bridge/synopsys/dw-hdmi.c, 527:
     hdmi_set_cts_n in hdmi_set_clk_regenerator
drivers/gpu/drm/bridge/synopsys/dw-hdmi.c, 524:
     spin_lock_irq in hdmi_set_clk_regenerator

[FUNC] mutex_lock_nested
drivers/base/regmap/regmap.c, 468:
     mutex_lock_nested in regmap_lock_mutex
drivers/base/regmap/regmap.c, 2503:
     [FUNC_PTR]regmap_lock_mutex in regmap_read
drivers/media/platform/atmel/atmel-isc.c, 1603:
     regmap_read in isc_interrupt (interrupt handler)

I find the code about the assignment of regmap_lock_mutex():
         if ((bus && bus->fast_io) ||
             config->fast_io) {
             spin_lock_init(&map->spinlock);
             map->lock = regmap_lock_spinlock;
             map->unlock = regmap_unlock_spinlock;
             lockdep_set_class_and_name(&map->spinlock,
                            lock_key, lock_name);
         } else {
             mutex_init(&map->mutex);
             map->lock = regmap_lock_mutex;
             map->unlock = regmap_unlock_mutex;
             lockdep_set_class_and_name(&map->mutex,
                            lock_key, lock_name);
         }

But after reading the code, I cannot find the relationship between the 
if condition and atomic context.
I think assigning regmap_lock_mutex() to map->lock may be not proper.

I also find some similar previously reported problems about 
regmap_lock_mutex():
https://lists.launchpad.net/kernel-packages/msg187700.html
https://community.nxp.com/thread/432071

I am not sure whether my analysis and results are right.
Could someone please give me explanation?

Thanks in advance :)


Best wishes,
Jia-Ju Bai

Powered by blists - more mailing lists