From owner-freebsd-drivers@freebsd.org  Mon Jul 17 17:33:33 2017
Return-Path: <owner-freebsd-drivers@freebsd.org>
Delivered-To: freebsd-drivers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B5753D9B45B;
 Mon, 17 Jul 2017 17:33:33 +0000 (UTC) (envelope-from jhb@freebsd.org)
Received: from mail.baldwin.cx (bigwig.baldwin.cx [96.47.65.170])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 91C3D68C35;
 Mon, 17 Jul 2017 17:33:33 +0000 (UTC) (envelope-from jhb@freebsd.org)
Received: from ralph.baldwin.cx (c-73-231-226-104.hsd1.ca.comcast.net
 [73.231.226.104])
 by mail.baldwin.cx (Postfix) with ESMTPSA id B9F8110AF0F;
 Mon, 17 Jul 2017 13:33:26 -0400 (EDT)
From: John Baldwin <jhb@freebsd.org>
To: freebsd-acpi@freebsd.org
Cc: Jia-Ju Bai <baijiaju1990@163.com>, freebsd-drivers@freebsd.org
Subject: Re: [Bug 220096][PATCH] acpi_thermal: Fix a possible
 sleep-under-mutex bug in acpi_tz_thread
Date: Mon, 17 Jul 2017 09:38:54 -0700
Message-ID: <6854694.QsTIBa8hWt@ralph.baldwin.cx>
User-Agent: KMail/4.14.10 (FreeBSD/11.0-STABLE; KDE/4.14.10; amd64; ; )
In-Reply-To: <20170618095245.40693-1-baijiaju1990@163.com>
References: <20170618095245.40693-1-baijiaju1990@163.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3
 (mail.baldwin.cx); Mon, 17 Jul 2017 13:33:26 -0400 (EDT)
X-Virus-Scanned: clamav-milter 0.99.2 at mail.baldwin.cx
X-Virus-Status: Clean
X-BeenThere: freebsd-drivers@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Writing device drivers for FreeBSD <freebsd-drivers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-drivers>, 
 <mailto:freebsd-drivers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-drivers/>
List-Post: <mailto:freebsd-drivers@freebsd.org>
List-Help: <mailto:freebsd-drivers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-drivers>, 
 <mailto:freebsd-drivers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 17:33:33 -0000

On Sunday, June 18, 2017 05:52:45 PM Jia-Ju Bai wrote:
> The driver may sleep under a mutex, and the code path is:
> acpi_tz_thread [line 992: acquire the mutex]
> acpi_tz_thread [line 993]
> acpi_tz_thread [line 1003]
> acpi_tz_thread [line 1004] (msleep is excuted)
> acpi_tz_thread [line 1008]
> acpi_tz_thread [line 970]
> acpi_tz_thread [line 971]
> acpi_tz_thread [line 975]
>    malloc(M_WAITOK) [line 976]
> 
> The possible fix of this bug is to replace "M_WAITOK" in malloc with 
> "M_NOWAIT".
> 
> This bug is found by a static analysis tool written by myself, and it is 
> checked by my review of the FreeBSD code.
> 
> Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
> ---
>  sys/dev/acpica/acpi_thermal.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/sys/dev/acpica/acpi_thermal.c b/sys/dev/acpica/acpi_thermal.c
> index b2b2a13aa88..fb9f44b5711 100644
> --- a/sys/dev/acpica/acpi_thermal.c
> +++ b/sys/dev/acpica/acpi_thermal.c
> @@ -974,7 +974,7 @@ acpi_tz_thread(void *arg)
>  	    }
>  	    devclass_get_devices(acpi_tz_devclass, &devs, &devcount);
>  	    sc = malloc(sizeof(struct acpi_tz_softc *) * devcount, M_TEMP,
> -			M_WAITOK | M_ZERO);
> +			M_NOWAIT | M_ZERO);
>  	    for (i = 0; i < devcount; i++)
>  		sc[i] = device_get_softc(devs[i]);
>  	}

As noted in the followup to the PR, the lock is never held when malloc is
called because msleep() uses PDROP.  The malloc is safe to stay as M_WAITOK.

-- 
John Baldwin