From patchwork Tue Oct  3 02:25:22 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jia-Ju Bai <baijiaju1990@163.com>
X-Patchwork-Id: 9981419
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	2A4AD60384 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue,  3 Oct 2017 02:24:57 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1B48F28683
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue,  3 Oct 2017 02:24:57 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 0C7E02868D; Tue,  3 Oct 2017 02:24:57 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B376928683
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue,  3 Oct 2017 02:24:56 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751214AbdJCCYv (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Mon, 2 Oct 2017 22:24:51 -0400
Received: from m12-13.163.com ([220.181.12.13]:57355 "EHLO m12-13.163.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1750846AbdJCCYu (ORCPT <rfc822; linux-wireless@vger.kernel.org>);
	Mon, 2 Oct 2017 22:24:50 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
	s=s110527; h=From:Subject:Date:Message-Id; bh=2sAnVMbZ2emW7xVE8P
	iulQ2icRq56m+FFI1cOn/Pmfg=; b=bXfDoaUHz4mq3K74fDBMH8GhadP1Q/Cyqg
	LEikygSyp1vrfWrqRFuSZpKxyz1AGdreRqegReFqbjgkMZBi+76qCvV4ibOXVshH
	60IKmoeSbyDggqf2QKZkTs/zdjOt8kreM/nGjAOjIyXTFf3MP0mZEU4gMQ9UgMSA
	LqvrSJqZk=
Received: from bai-oslab.tsinghua.edu.cn (unknown [166.111.70.46])
	by smtp9 (Coremail) with SMTP id DcCowACXq0yD9NJZ_CevLw--.26399S2;
	Tue, 03 Oct 2017 10:23:02 +0800 (CST)
From: Jia-Ju Bai <baijiaju1990@163.com>
To: davem@davemloft.net, herbert@gondor.apana.org.au,
	nhorman@tuxdriver.com, vyasevich@gmail.com, luto@kernel.org,
	kvalo@codeaurora.org
Cc: linux-crypto@vger.kernel.org, netdev@vger.kernel.org,
	linux-sctp@vger.kernel.org, linux-wireless@vger.kernel.org,
	Jia-Ju Bai <baijiaju1990@163.com>
Subject: [PATCH V2] Fix a sleep-in-atomic bug in shash_setkey_unaligned
Date: Tue,  3 Oct 2017 10:25:22 +0800
Message-Id: <1506997522-26684-1-git-send-email-baijiaju1990@163.com>
X-Mailer: git-send-email 1.7.9.5
X-CM-TRANSID: DcCowACXq0yD9NJZ_CevLw--.26399S2
X-Coremail-Antispam: 1Uf129KBjvdXoW7XryfCw18tFy5uFWDAw1DWrg_yoWkKrX_GF
	ykurn5Ww1UArs3X397G3y8XrnFgF1fGFy0k3Z3Xry3K345Jr4rWFn29rsrurZ3Zr4rWr98
	uan5Ar93JrnF9jkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
	9fnUUvcSsGvfC2KfnxnUUI43ZEXa7IUbl1vDUUUUU==
X-Originating-IP: [166.111.70.46]
X-CM-SenderInfo: xedlyx5dmximizq6il2tof0z/1tbipQZmelUMG-X-rwAAsY
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The SCTP program may sleep under a spinlock, and the function call path is:
sctp_generate_t3_rtx_event (acquire the spinlock)
  sctp_do_sm
    sctp_side_effects
      sctp_cmd_interpreter
        sctp_make_init_ack
          sctp_pack_cookie
            crypto_shash_setkey
              shash_setkey_unaligned
                kmalloc(GFP_KERNEL)

For the same reason, the orinoco driver may sleep in interrupt handler, 
and the function call path is:
orinoco_rx_isr_tasklet
  orinoco_rx
    orinoco_mic
      crypto_shash_setkey
        shash_setkey_unaligned
          kmalloc(GFP_KERNEL)

To fix it, GFP_KERNEL is replaced with GFP_ATOMIC.
This bug is found by my static analysis tool and my code review.

Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
---
 crypto/shash.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/shash.c b/crypto/shash.c
index 5e31c8d..8fcecc6 100644
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -41,7 +41,7 @@ static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key,
 	int err;
 
 	absize = keylen + (alignmask & ~(crypto_tfm_ctx_alignment() - 1));
-	buffer = kmalloc(absize, GFP_KERNEL);
+	buffer = kmalloc(absize, GFP_ATOMIC);
 	if (!buffer)
 		return -ENOMEM;