drivers: staging: r8188eu: Fix sleep-in-atomic-context bug in rtw_join_timeout_handler
| Message ID | 20221018083424.79741-1-duoming@zju.edu.cn |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp1843964wrs;
Tue, 18 Oct 2022 01:43:54 -0700 (PDT)
X-Google-Smtp-Source:
AMsMyM4ZqfuXsH5V1RUc4zgeYrrNQsXjHgaZQdZbpVewOZnwuGrqfISfTKiYTTUnPNNDuYN0hBrV
X-Received: by 2002:a17:907:3da2:b0:78d:3b45:11d9 with SMTP id
he34-20020a1709073da200b0078d3b4511d9mr1495876ejc.87.1666082634421;
Tue, 18 Oct 2022 01:43:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666082634; cv=none;
d=google.com; s=arc-20160816;
b=MItKIPXywhaEWKFKcrYHNxSPjsqpVu8JzJCL4In49HGSnKWLSW8e++ZYCtDULnx0Rz
qV0HR/uMSRZTf0TQ6JsU4qY99WdovU3GTFW5gR3MToh+5bR/Jv0mG1GdhARyVUYIhmKK
/UiV/g0r1WTUhRzlShGWWwqd4YRxCnetEOyUr2NG2nwzjFHqnPd/BksEcRYQucXbjRj2
8S58SuHoN1LRIk9Ntanp4K2sKiqTeCsyRF/Y6GJvM0uzmJuiAViTxnQh7ffwDkbWAK4m
sfVa9aMDAiTlgmExTpQ5fbl7VsJ++A+P5+YoZMTOKfCbmVfnYmCFE/UDKEa//9mSlYwK
pjnw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:message-id:date:subject:cc:to:from;
bh=eKzsRwLQQAVX2QS31XletA+82aOqCpT0zflzDP/dtPw=;
b=sonsjSREQ+N6yVFRN76V5AfD3bHUoJcLZUjyUyHdRUj0dvsCa9KkiNa875Kqw5MkVv
F6MOcMtzT3FReSwH7Q0gayzCE9wAQkgvXhc6E7nLBHyW20VPT9rV9wRjFJRRmXiIkkfS
moEGGb1nDXAgf+5IOd38qeNb4e0iWtF8oJaON3raGmZicmQS4e3tEqYc+GfYj4dVOMIU
Y9IhPOxENoEmVOiIXuwvHy3BL/uCg6Wh0gyxwg7GHvetqgus+wID4IgeumykYrbCfW8W
nnOWXmVkOhtZtKLJfTGdVn4HjLvwfGUzD1MSEDQ4qpSAak9dllW45QEJGtvz8ym9d3iw
Zw0A==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
ht15-20020a170907608f00b00781599eb7dbsi11846772ejc.573.2022.10.18.01.43.28;
Tue, 18 Oct 2022 01:43:54 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229968AbiJRIe5 (ORCPT <rfc822;carlos.wei.hk@gmail.com>
+ 99 others); Tue, 18 Oct 2022 04:34:57 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44888 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229633AbiJRIey (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 18 Oct 2022 04:34:54 -0400
Received: from zju.edu.cn (spam.zju.edu.cn [61.164.42.155])
by lindbergh.monkeyblade.net (Postfix) with ESMTP id 03D6D2FC1C
for <linux-kernel@vger.kernel.org>;
Tue, 18 Oct 2022 01:34:49 -0700 (PDT)
Received: from ubuntu.localdomain (unknown [10.162.98.155])
by mail-app4 (Coremail) with SMTP id cS_KCgC3294QZU5jXctcBw--.7796S2;
Tue, 18 Oct 2022 16:34:32 +0800 (CST)
From: Duoming Zhou <duoming@zju.edu.cn>
To: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org
Cc: Larry.Finger@lwfinger.net, phil@philpotter.co.uk,
paskripkin@gmail.com, gregkh@linuxfoundation.org, martin@kaiser.cx,
straube.linux@gmail.com, kuba@kernel.org,
Duoming Zhou <duoming@zju.edu.cn>
Subject: [PATCH] drivers: staging: r8188eu: Fix sleep-in-atomic-context bug in
rtw_join_timeout_handler
Date: Tue, 18 Oct 2022 16:34:24 +0800
Message-Id: <20221018083424.79741-1-duoming@zju.edu.cn>
X-Mailer: git-send-email 2.17.1
X-CM-TRANSID: cS_KCgC3294QZU5jXctcBw--.7796S2
X-Coremail-Antispam: 1UD129KBjvdXoWrZrW5Gw1xurW8tr1kCryDWrg_yoWkKFXEgr
Z2qF47Zr1kAFn7Jw15AanIvrySva1UWF40q3yvgFWaq3yUJayxXrn2grWDCF15Gay7AF9x
AF1vgw1rAr1xAjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
9fnUUIcSsGvfJTRUUUbs8Fc2x0x2IEx4CE42xK8VAvwI8IcIk0rVWrJVCq3wAFIxvE14AK
wVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK021l84ACjcxK6xIIjxv20x
vE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26rxl6s0DM28EF7xvwVC2z280
aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s0DM2AIxVAIcxkEcVAq07
x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r1j6r18
McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr4
1lF7I21c0EjII2zVCS5cI20VAGYxC7M4IIrI8v6xkF7I0E8cxan2IY04v7MxAIw28IcxkI
7VAKI48JMxAIw28IcVCjz48v1sIEY20_GFWkJr1UJwCFx2IqxVCFs4IE7xkEbVWUJVW8Jw
C20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAF
wI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjx
v20xvEc7CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2
jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Jr0_GrUvcSsGvfC2KfnxnUUI43
ZEXa7VUbXdbUUUUUU==
X-CM-SenderInfo: qssqjiasttq6lmxovvfxof0/1tbiAgIHAVZdtb+JnwAUsF
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS,
SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1747014264444697898?=
X-GMAIL-MSGID: =?utf-8?q?1747014264444697898?=
|
| Series |
drivers: staging: r8188eu: Fix sleep-in-atomic-context bug in rtw_join_timeout_handler
|
|
Commit Message
Duoming Zhou
Oct. 18, 2022, 8:34 a.m. UTC
The rtw_join_timeout_handler() is a timer handler that
runs in atomic context, but it could call msleep().
As a result, the sleep-in-atomic-context bug will happen.
The process is shown below:
(atomic context)
rtw_join_timeout_handler
_rtw_join_timeout_handler
rtw_do_join
rtw_select_and_join_from_scanned_queue
rtw_indicate_disconnect
rtw_lps_ctrl_wk_cmd
lps_ctrl_wk_hdl
LPS_Leave
LPS_RF_ON_check
msleep //sleep in atomic context
Fix by removing msleep() and replacing with mdelay().
Fixes: 15865124feed ("staging: r8188eu: introduce new core dir for RTL8188eu driver")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
---
drivers/staging/r8188eu/core/rtw_pwrctrl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Tue, Oct 18, 2022 at 04:34:24PM +0800, Duoming Zhou wrote: > The rtw_join_timeout_handler() is a timer handler that > runs in atomic context, but it could call msleep(). > As a result, the sleep-in-atomic-context bug will happen. > The process is shown below: > > (atomic context) > rtw_join_timeout_handler Wait, how is this an atomic timeout? When can that happen? > _rtw_join_timeout_handler > rtw_do_join > rtw_select_and_join_from_scanned_queue > rtw_indicate_disconnect > rtw_lps_ctrl_wk_cmd > lps_ctrl_wk_hdl > LPS_Leave > LPS_RF_ON_check > msleep //sleep in atomic context How was this found? > Fix by removing msleep() and replacing with mdelay(). Wouldn't people have seen an error already if msleep() was really called in atomic context? And what about the other drivers that have this identical code, why only fix one? thanks, greg k-h
Hello, On Thu, 20 Oct 2022 17:46:47 +0200 Greg KH wrote: > On Tue, Oct 18, 2022 at 04:34:24PM +0800, Duoming Zhou wrote: > > The rtw_join_timeout_handler() is a timer handler that > > runs in atomic context, but it could call msleep(). > > As a result, the sleep-in-atomic-context bug will happen. > > The process is shown below: > > > > (atomic context) > > rtw_join_timeout_handler > > Wait, how is this an atomic timeout? Because this function is defined as a timer handler of "assoc_timer". The following is the detail: void rtw_init_mlme_timer(struct adapter *padapter) { struct mlme_priv *pmlmepriv = &padapter->mlmepriv; timer_setup(&pmlmepriv->assoc_timer, rtw_join_timeout_handler, 0); ... } https://elixir.bootlin.com/linux/latest/source/drivers/staging/r8188eu/os_dep/mlme_linux.c#L36 > When can that happen? When the adapter trys to join and selects scanning queue successfully, the assoc_timer will be actived. If this process is timeout, the callback function rtw_join_timeout_handler will run. > > _rtw_join_timeout_handler > > rtw_do_join > > rtw_select_and_join_from_scanned_queue > > rtw_indicate_disconnect > > rtw_lps_ctrl_wk_cmd > > lps_ctrl_wk_hdl > > LPS_Leave > > LPS_RF_ON_check > > msleep //sleep in atomic context > > How was this found? > > > Fix by removing msleep() and replacing with mdelay(). > > Wouldn't people have seen an error already if msleep() was really called > in atomic context? I am sorry, This is the false alarm. rtw_indicate_disconnect() -->rtw_lps_ctrl_wk_cmd(padapter, LPS_CTRL_DISCONNECT, 1); u8 rtw_lps_ctrl_wk_cmd(struct adapter *padapter, u8 lps_ctrl_type, u8 enqueue) { ... if (enqueue) { ... }else { lps_ctrl_wk_hdl(padapter, lps_ctrl_type); } The enqueue equals to 1 and the lps_ctrl_wk_hdl() will not execute. I will check carefully and avoid false alarm next time. Thank you for your reply. Best regards, Duoming Zhou
diff --git a/drivers/staging/r8188eu/core/rtw_pwrctrl.c b/drivers/staging/r8188eu/core/rtw_pwrctrl.c index 870d81735b8..5290ac36f08 100644 --- a/drivers/staging/r8188eu/core/rtw_pwrctrl.c +++ b/drivers/staging/r8188eu/core/rtw_pwrctrl.c @@ -273,7 +273,7 @@ static s32 LPS_RF_ON_check(struct adapter *padapter, u32 delay_ms) err = -1; break; } - msleep(1); + mdelay(1); } return err;