net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx

Message ID	1497084579-32434-1-git-send-email-baijiaju1990@163.com
State	Accepted, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: Jia-Ju Bai <baijiaju1990@163.com> To: dmitry.tarnyagin@lockless.no, davem@davemloft.net Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Jia-Ju Bai <baijiaju1990@163.com> Subject: [PATCH] net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx Date: Sat, 10 Jun 2017 16:49:39 +0800 Message-Id: <1497084579-32434-1-git-send-email-baijiaju1990@163.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

1497084579-32434-1-git-send-email-baijiaju1990@163.com

State

Accepted, archived

Delegated to:

David Miller

Headers

From: Jia-Ju Bai <baijiaju1990@163.com>
To: dmitry.tarnyagin@lockless.no, davem@davemloft.net
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	Jia-Ju Bai <baijiaju1990@163.com>
Subject: [PATCH] net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx
Date: Sat, 10 Jun 2017 16:49:39 +0800
Message-Id: <1497084579-32434-1-git-send-email-baijiaju1990@163.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

Jia-Ju Bai June 10, 2017, 8:49 a.m. UTC

The kernel may sleep under a rcu read lock in cfpkt_create_pfx, and the
function call path is:
cfcnfg_linkup_rsp (acquire the lock by rcu_read_lock)
  cfctrl_linkdown_req
    cfpkt_create
      cfpkt_create_pfx
        alloc_skb(GFP_KERNEL) --> may sleep
cfserl_receive (acquire the lock by rcu_read_lock)
  cfpkt_split
    cfpkt_create_pfx
      alloc_skb(GFP_KERNEL) --> may sleep

There is "in_interrupt" in cfpkt_create_pfx to decide use "GFP_KERNEL" or
"GFP_ATOMIC". In this situation, "GFP_KERNEL" is used because the function 
is called under a rcu read lock, instead in interrupt.

To fix it, only "GFP_ATOMIC" is used in cfpkt_create_pfx.

Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
---
 net/caif/cfpkt_skbuff.c |    6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

Comments

David Miller June 10, 2017, 10:21 p.m. UTC | #1

From: Jia-Ju Bai <baijiaju1990@163.com>
Date: Sat, 10 Jun 2017 16:49:39 +0800

> The kernel may sleep under a rcu read lock in cfpkt_create_pfx, and the
> function call path is:
> cfcnfg_linkup_rsp (acquire the lock by rcu_read_lock)
>   cfctrl_linkdown_req
>     cfpkt_create
>       cfpkt_create_pfx
>         alloc_skb(GFP_KERNEL) --> may sleep
> cfserl_receive (acquire the lock by rcu_read_lock)
>   cfpkt_split
>     cfpkt_create_pfx
>       alloc_skb(GFP_KERNEL) --> may sleep
> 
> There is "in_interrupt" in cfpkt_create_pfx to decide use "GFP_KERNEL" or
> "GFP_ATOMIC". In this situation, "GFP_KERNEL" is used because the function 
> is called under a rcu read lock, instead in interrupt.
> 
> To fix it, only "GFP_ATOMIC" is used in cfpkt_create_pfx.
> 
> Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>

Applied and queued up for -stable.

diff --git a/net/caif/cfpkt_skbuff.c b/net/caif/cfpkt_skbuff.c
index 59ce1fc..71b6ab2 100644
--- a/net/caif/cfpkt_skbuff.c
+++ b/net/caif/cfpkt_skbuff.c
@@ -81,11 +81,7 @@  static struct cfpkt *cfpkt_create_pfx(u16 len, u16 pfx)
 {
 	struct sk_buff *skb;
 
-	if (likely(in_interrupt()))
-		skb = alloc_skb(len + pfx, GFP_ATOMIC);
-	else
-		skb = alloc_skb(len + pfx, GFP_KERNEL);
-
+	skb = alloc_skb(len + pfx, GFP_ATOMIC);
 	if (unlikely(skb == NULL))
 		return NULL;

net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx

Commit Message

Comments

Patch