s found by a static analysis tool STCheck written by us.
Fixes: 79bdc4c862af ("codel: generalize the implementation")
Signed-off-by: Jia-Ju Bai
---
v2:
* Add a fix tag.
Thank Jiri Pirko for helpful advice.
---
net/sched/sch_codel.c | 6 +++---
1 file changed, 3 insertions(+), 3 deleti
On 2019/7/29 16:03, Steffen Klassert wrote:
On Mon, Jul 29, 2019 at 11:43:49AM +0800, Jia-Ju Bai wrote:
In xfrm_policy(), the while loop on lines 3802-3830 ends when dst->xfrm is
NULL.
We don't have a xfrm_policy() function, and as said already the
line numbers does not help much as
is not NULL.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/mac80211_hwsim.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/mac80211_hwsim.c
b/drivers/net/wireless
s found by a static analysis tool STCheck written by us.
Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
Signed-off-by: Jia-Ju Bai
---
v2:
* Add a fix tag.
Thank Jiri Pirko for helpful advice.
v3:
* Use a correct fix tag.
Thank Jiri Pirko for helpful advice.
---
net/sched/sch_c
he beginning:
commit 76e3cc126bb223013a6b9a0e2a51238d1ef2e409
Author: Eric Dumazet
Date: Thu May 10 07:51:25 2012 +
codel: Controlled Delay AQM
Please adjust "Fixes:".
Thanks for the advice :)
I have sent a v3 patch.
Best wishes,
Jia-Ju Bai
INIT_LIST_HEAD(&fcport->gnl_entry);
INIT_LIST_HEAD(&fcport->list);
Thus, possible null-pointer dereferences may occur.
To fix these bugs, qla2x00_alloc_fcport() directly returns NULL
in the error handling code.
These bugs are found by a static analysis tool STCheck written b
() directly returns FAILED
when rn is NULL.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/csiostor/csio_scsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/csiostor/csio_scsi.c
b/drivers/scsi/csiostor
rence may occur.
To fix this bug, musb->hcd is checked before calling
musb_host_poke_root_hub().
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/usb/musb/musb_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git
us, a possible null-pointer dereference may occur.
To fix this bug, led_trigger_event(&phy->last_triggered->trigger,
LED_OFF) is called when phy->last_triggered is not NULL.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/net/phy/ph
I do not know how to correctly fix this bug, so I only report it.
Best wishes,
Jia-Ju Bai
dereferences may occur.
To avoid these bugs, when these variables are not assigned,
wlc_phy_radio_init_2056() directly returns.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net
, ...)
Thus, a possible null-pointer dereference may occur.
To fix this bug, dev->udev is checked before calling msi2500_ctrl_msg().
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/media/usb/msi2500/msi2500.c | 2 +-
1 file changed,
bug, ip6_rt_put(rt) is called when rt is not NULL.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/net/geneve.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
er also calls
"iounmap(hw->ce4100_gbe_mido_base_virt)" but
hw->ce4100_gbe_mido_base_virt has not been assigned.
These bugs are found by a runtime fuzzing tool named FIZZER written by us.
To fix these bugs, the error handling code of e1000_probe() is adjusted.
Signed-off-by: Jia-Ju Bai
---
drivers
led when using this patch.
Thus, I think the definition of ocfs2_xa_add_entry() could be removed.
If it is okay, I can send a new patch (v3).
Best wishes,
Jia-Ju Bai
tor_name;
Thus, a possible null-pointer dereference may occur.
To fix this bug, referring to lines 773 and 774, ak->adc_info
and ak->adc_info[mixer_ch].selector_name are checked before being used.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
on line 224:
ovl_inuse_unlock(ofs->upper_mnt->mnt_root);
Thus, a possible null-pointer dereference may occur.
To fix this bug, ofs->upper_mnt is checked before being used in
ovl_free_fs().
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
fs/
analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
net/tipc/name_distr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
index 44abc8e9c990..241ed2274473 100644
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
nce(), add_device() and remove_device() in mgmt.c.
Thus, a possible null-pointer dereference may occur.
To fix this bug, hdev is checked before calling handler->func().
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
net/bluetooth/hci_sock.c
o fix this bug, ep->com.cm_id is checked before being used.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/infiniband/hw/cxgb3/iwch_cm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/cxgb3
On 2019/7/25 23:52, Takashi Iwai wrote:
On Thu, 25 Jul 2019 10:27:33 +0200,
Jia-Ju Bai wrote:
In build_adc_controls(), there is an if statement on line 773 to check
whether ak->adc_info is NULL:
if (! ak->adc_info ||
! ak->adc_info[mixer_ch].switch_name)
hus, a possible null-pointer dereference may occur.
To fix this bug, referring to lines 773 and 774, ak->adc_info
and ak->adc_info[mixer_ch].selector_name are checked before being used.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
v2:
* Fi
ned-off-by: Jia-Ju Bai
---
net/ipv4/inet_connection_sock.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index f5c163d4771b..27d9d80f3401 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/n
fib_clntref))
Thus, a possible null-pointer dereference may occur.
To fix this bug, result->fi is checked before calling fib_info_put().
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
net/ipv4/fib_rules.c | 2 +-
1 file changed, 1 in
ruct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
Thus, a possible null-pointer dereference may occur.
To fix this bug, inode_alloc is checked on line 286.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
fs/ocfs2/ioctl.c | 2 +-
1 file cha
ll-pointer dereferences may occur.
To fix these bugs, if loc-xl_entry is NULL, ocfs2_xa_prepare_entry()
abnormally returns with -EINVAL.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
fs/ocfs2/xattr.c | 6 --
1 file changed, 4 insertions
>t_tid;
Thus, a possible null-pointer dereference may occur.
To fix this bug, handle is checked before calling
ocfs2_update_inode_fsync_trans().
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
fs/ocfs2/aops.c | 3 ++-
1 file changed, 2 inserti
*p++ = cpu_to_be32(label->len);
p = xdr_encode_opaque_fixed(p, label->label, label->len);
To fix these bugs, label is checked before being used.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
fs/nfs/nfs4xdr.c | 2 +-
1 file
when rt is not NULL.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
net/ipv6/ip6_vti.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index 024db17386d2..572647205c52 100644
--- a/n
ore calling
ip6_autoflowlabel(net,np).
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
net/ipv6/ip6_output.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 8e49fd62e
To fix these bugs, "continue" is added to avoid using fifo->iso[i].urb
when it is NULL.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/isdn/hardware/mISDN/hfcsusb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers
(bh);
put_bh(bh);
Thus, possible null-pointer dereferences may occur.
To fix these bugs, bh is checked before being used.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
fs/reiserfs/journal.c | 7 ---
1 file changed, 4 insertions
lysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/input/touchscreen/wm97xx-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/input/touchscreen/wm97xx-core.c
b/drivers/input/touchscreen/wm97xx-core.c
index 0a174bd82915..f7bd0726a577 1006
On 2019/7/26 17:06, Charles Keepax wrote:
On Fri, Jul 26, 2019 at 04:48:16PM +0800, Jia-Ju Bai wrote:
In wm97xx_ts_input_open(), there is an if statement on line 507 to check
whether wm->mach_ops is NULL:
if (wm->mach_ops && wm->mach_ops->acc_enabled)
When wm->
tic analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
v2:
* Add a new check of wm->mach_ops in wm97xx_init_pen_irq().
Thank Charles for helpful advice.
---
drivers/input/touchscreen/wm97xx-core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/input/touchscree
On 2019/7/26 17:37, Joseph Qi wrote:
On 19/7/26 11:36, Jia-Ju Bai wrote:
In ocfs2_xa_prepare_entry(), there is an if statement on line 2136 to
check whether loc->xl_entry is NULL:
if (loc->xl_entry)
When loc->xl_entry is NULL, it is used on line 2158:
ocfs2_xa_add_
nter dereferences may occur.
To fix these bugs, if loc-xl_entry is NULL, ocfs2_xa_prepare_entry()
abnormally returns with -EINVAL.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
v2:
* Directly return -EINVAL if loc-xl_entry is NULL.
Thank
tic analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
v2:
* Add a new check of wm->mach_ops in wm97xx_init_pen_irq().
Thank Charles for helpful advice.
v3:
* Print a message if wm->mach_ops is NULL in wm97xx_init_pen_irq().
Thank Charles for helpful advice.
---
dri
tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
net/rds/rdma_transport.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/rds/rdma_transport.c b/net/rds/rdma_transport.c
index ff74c4bbb9fc..9986d6065c4d 100644
--- a/net/rds/rdma_transport.c
+++ b/net/rds/rdm
mci_setup_bus(host->slot, true);
struct dw_mci *host = slot->host;
Thus, possible null-pointer dereferences may occur.
To fix these bugs, host->slot is checked before being used.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
driv
On 2019/7/29 21:45, Andrew Lunn wrote:
On Mon, Jul 29, 2019 at 05:24:24PM +0800, Jia-Ju Bai wrote:
In phy_led_trigger_change_speed(), there is an if statement on line 48
to check whether phy->last_triggered is NULL:
if (!phy->last_triggered)
When phy->last_triggered is NULL, i
nd by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
v2:
* Adjust the code and add an assignment.
Thank Darrick J. Wong for helpful advice.
---
fs/xfs/scrub/dabtree.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/xfs/scrub/dabt
On 2019/7/30 11:41, David Miller wrote:
From: Andrew Lunn
Date: Tue, 30 Jul 2019 05:32:29 +0200
On Tue, Jul 30, 2019 at 10:25:36AM +0800, Jia-Ju Bai wrote:
On 2019/7/29 21:45, Andrew Lunn wrote:
On Mon, Jul 29, 2019 at 05:24:24PM +0800, Jia-Ju Bai wrote:
In phy_led_trigger_change_speed
us, a possible null-pointer dereference may occur.
To fix this bug, led_trigger_event(&phy->last_triggered->trigger,
LED_OFF) is called when phy->last_triggered is not NULL.
This bug is found by a static analysis tool STCheck written by
the OSLAB group in Tsinghua University.
Signed-off-b
_to_auditdata(skb, &ad.a, NULL);
Thus, possible null-pointer dereferences may occur when skb is NULL.
To fix these possible bugs, an if statement is added to check skb.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
security/smack/smack
null-pointer dereference may occur in this case.
To fix this possible bug, an if statement is added in afs_put_read() to
check req->pages.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
fs/afs/file.c | 12 +++-
1 file changed, 7 i
vm_end - vma->vm_start;
Thus, possible null-pointer dereferences may occur.
To fix these possible bugs, vma is checked on line 1063.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
arch/x86/mm/pat.c | 2 +-
1 file changed, 1 insertion(+), 1 de
cur in this case.
To fix this possible bug, block->next is checked before using it.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
sound/isa/gus/gus_mem.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/isa/gus/g
Thanks for the quick reply :)
I think you are right, and I did not consider "if (alloc->last == block)"
Sorry for the false report...
Best wishes,
Jia-Ju Bai
On 2019/7/23 21:47, Takashi Iwai wrote:
On Tue, 23 Jul 2019 15:40:20 +0200,
Jia-Ju Bai wrote:
In snd_gf1_mem_xfree(), t
trlcpy(buf + len, kn->name, ...)
Thus, possible null-pointer dereferences may occur.
To fix these possible bugs, buf is checked before being used.
If it is NULL, -EINVAL is returned.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
fs/ker
ofs)
Thus possible null-pointer dereferences may occur.
To fix these bugs, -EINVAL is returned when "this" is NULL.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
fs/jffs2/nodelist.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
d
i[j] is NULL, the loop continues, and
"j++" is moved to the loop's regulator.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/ata/libata-core.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/
To fix these possible bugs, -EINVAL is returned when cb is NULL.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
fs/nfsd/nfs4callback.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/fs/nfsd/nfs4callback.c b/
parport_release(pp->pdev);
Thus, a possible null-pointer dereference may occur.
To fix this bug, pp->pdev is checked on line 740.
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
drivers/char/ppdev.c | 2 +-
1 file changed, 1 insertion(+),
Thus, possible null-pointer dereferences may occur.
To fix these bugs, xp is checked before calling key_notify_policy().
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
net/key/af_key.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/n
nce may occur.
To fix this bug, key->tfm is checked before calling
crypto_free_sync_skcipher().
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
net/ceph/crypto.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ceph/cry
calling crypto_free_skcipher().
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
fs/crypto/keyinfo.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c
index 207ebed918c1..b419720cac54 100644
-
sis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
net/9p/trans_rdma.c | 24
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
index bac8dad5dd69..eba3c5fc2731 100644
--- a/net/9p/trans_rdma.c
+++ b/net
references may occur.
To fix these bugs, timer->card is checked before being used.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
sound/core/timer.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/sound/core/ti
0211_monitorif_ops;
Thus, possible null-pointer dereferences may occur.
To fix these bugs, sdata->dev is checked before being used.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
net/mac80211/iface.c | 6 --
1 file changed, 4 inserti
x20 | (key->conf.keyidx << 6);
Thus, possible null-pointer dereferences may occur.
To fix these bugs, key is checked on line 3384.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai
---
net/mac80211/tx.c | 2 +-
1 file changed, 1 inser
On 2019/1/9 9:24, Yanjun Zhu wrote:
On 2019/1/8 20:57, Jia-Ju Bai wrote:
On 2019/1/8 20:54, Zhu Yanjun wrote:
在 2019/1/8 20:45, Jia-Ju Bai 写道:
In drivers/net/ethernet/nvidia/forcedeth.c, the functions
nv_start_xmit() and nv_start_xmit_optimized() can be concurrently
executed with
On 2019/1/9 10:35, Yanjun Zhu wrote:
On 2019/1/9 10:03, Jia-Ju Bai wrote:
On 2019/1/9 9:24, Yanjun Zhu wrote:
On 2019/1/8 20:57, Jia-Ju Bai wrote:
On 2019/1/8 20:54, Zhu Yanjun wrote:
在 2019/1/8 20:45, Jia-Ju Bai 写道:
In drivers/net/ethernet/nvidia/forcedeth.c, the functions
On 2019/1/9 11:24, Yanjun Zhu wrote:
If you have forcedeth NIC, you can make tests with it.:-)
Ah, I would like to, but I do not have the hardware...
Best wishes,
Jia-Ju Bai
way may be to replace up() and down()
with spin_lock() and spin_unlock().
Best wishes,
Jia-Ju Bai
way may be to replace up() and down()
with spin_lock() and spin_unlock().
Best wishes,
Jia-Ju Bai
lock() and
spin_unlock().
Best wishes,
Jia-Ju Bai
Thanks for the reply :)
On 2018/9/11 1:41, Mark Brown wrote:
On Thu, Aug 30, 2018 at 10:34:20AM +0800, Jia-Ju Bai wrote:
My static tool DSAC reports many sleep-in-atomic-context bugs involving
regmap_lock_mutex(), so I wonder whether this function is possible to be
executed in atomic context
hid_alloc_report_buf(GFP_KERNEL)
This bug is found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
v2:
* Make the description more human readable.
Thanks Jiri for good advice.
---
drivers/hid/hid-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers
bug is found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index
:
_rtw_pwr_wakeup in rtw_set_802_11_disassociate
drivers/staging/rtl8723bs/core/rtw_ioctl_set.c, 501:
spin_lock_bh in rtw_set_802_11_disassociate
To fix these bugs, msleep() is replaced with mdelay().
These bugs are found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
drivers
:
rtw_set_802_11_infrastructure_mode in rtw_wx_set_wap
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c, 988:
spin_lock_bh in rtw_wx_set_wap
To fix this bug, msleep() is replaced with mdelay().
This bug is found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/rtl8188eu/core
] mutex_lock_nested
drivers/mfd/ezx-pcap.c, 244:
mutex_lock_nested in pcap_adc_trigger
drivers/mfd/ezx-pcap.c, 299:
pcap_adc_trigger in pcap_adc_irq (interrupt handler)
These bugs are found by my static analysis tool DSAC.
Best wishes,
Jia-Ju Bai
On 2018/9/5 16:29, Jiri Kosina wrote:
On Sat, 1 Sep 2018, Jia-Ju Bai wrote:
The driver may sleep with holding a spinlock.
The function call paths (from bottom to top) in Linux-4.16 are:
[FUNC] hid_alloc_report_buf(GFP_KERNEL)
drivers/hid/hid-core.c, 1435:
hid_alloc_report_buf in
ration in CPU0 is performed
with holding a spinlock, but the READ operation in CPU1 is performed
without holding this spinlock, so there may exist a data race.
Best wishes,
Jia-Ju Bai
On 2018/9/11 15:49, Sebastian Andrzej Siewior wrote:
On 2018-09-01 16:12:10 [+0800], Jia-Ju Bai wrote:
wdm_in_callback() is a completion handler function for the USB driver.
So it should not sleep. But it calls service_outstanding_interrupt(),
which calls usb_submit_urb() with GFP_KERNEL
On 2018/9/11 16:40, Gustavo Pimentel wrote:
Hi Jia,
On 02/09/2018 04:38, Jia-Ju Bai wrote:
The driver may sleep with holding a spinlock and in an interupt handler.
The function call paths (from bottom to top) in Linux-4.16 are:
[FUNC] usleep_range
drivers/pci/dwc/pcie-designware.c, 181
/usb_ops_linux.c, 604:
rtw_chk_hi_queue_cmd in usb_write_port_complete
To fix these bugs, GFP_KERNEL is replaced with GFP_ATOMIC.
These bugs are found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/rtl8188eu/core/rtw_cmd.c | 4 ++--
1 file changed, 2
fix this bug, msleep() is replaced with mdelay().
This bug is found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
drivers/infiniband/hw/hns/hns_roce_hem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c
b/drivers
:
spin_lock_irq in srp_send_tsk_mgmt
To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC.
This bug is found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
drivers/infiniband/core/mad.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers
:
_raw_spin_lock_irqsave in lg4ff_play
To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC.
This bug is found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
drivers/hid/hid-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
, 5241:
_raw_spin_lock_irqsave in intel_iommu_enable_pasid
To fix this bug, usleep_range() is replaced with udelay().
This bug is found by my static analysis tool DSAC.
Signed-off-by: Jia-Ju Bai
---
drivers/pci/controller/dwc/pcie-designware.c | 2 +-
1 file changed, 1 insertion(+), 1
On 2018/9/3 4:32, Jason Gunthorpe wrote:
On Sat, Sep 01, 2018 at 08:06:59PM +0800, Jia-Ju Bai wrote:
The driver may sleep with holding a spinlock.
The function call paths (from bottom to top) in Linux-4.16 are:
[FUNC] alloc_mad_private(GFP_KERNEL)
drivers/infiniband/core/mad.c, 2264
device_free_rd1_ring(priv);
error_init_rd1_ring:
device_free_rd0_ring(priv);
error_init_rd0_ring:
return ret;
Best wishes,
Jia-Ju Bai
On 2018/3/30 11:39, Ji-Hun Kim wrote:
On Fri, Mar 30, 2018 at 11:15:03AM +0800, Jia-Ju Bai wrote:
On 2018/3/30 10:44, Ji-Hun Kim wrote:
@@ -1165,10 +1205,18 @@ static int vnt_start(struct ieee80211_hw *hw)
}
dev_dbg(&priv->pcid->dev, "call device
+ goto err_init_td1_ring;
device_init_registers(priv);
@@ -1178,6 +1226,15 @@ static int vnt_start(struct ieee80211_hw *hw)
ieee80211_wake_queues(hw);
return 0;
+
+err_init_td1_ring:
+ device_free_td0_ring(priv);
+err_init_td0_ring:
+ device_free_rd1_ring(priv);
+err_init_rd1_ring:
+ device_free_rd0_ring(priv);
+err_init_rd0_ring:
+ return ret;
}
static void vnt_stop(struct ieee80211_hw *hw)
It looks okay now :)
Best wishes,
Jia-Ju Bai
ations structure "cm4000_fops".
Despite never getting called from atomic context, set_protocol() calls
mdelay(10), i.e. busy wait for 10ms.
That is not necessary and can be replaced with usleep_range to
avoid busy waiting.
This is found by a static analysis tool named DCNS written by myse
cpt_device_init() calls
mdelay(100), i.e. busy wait for 100ms.
That is not necessary and can be replaced with msleep to
avoid busy waiting.
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
drivers/crypto/cavium/cpt/cptpf_main.c | 2 +-
1 file cha
.
That is not necessary and can be replaced with msleep to
avoid busy waiting.
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
sound/usb/line6/driver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/line6/driver
getting called from atomic context, line6_write_data()
calls mdelay for busy wait.
That is not necessary and can be replaced with msleep to
avoid busy waiting.
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
sound/usb/line6/driver.c | 2 +-
1 file
t.
Despite never getting called from atomic context,
line6_alloc_sysex_buffer() calls kmalloc with GFP_ATOMIC,
which waits busily for allocation.
GFP_ATOMIC is not necessary and can be replaced with GFP_KERNEL
to avoid busy waiting.
This is found by a static analysis tool named DCNS written b
led from atomic context,
hv_pci_onchannelcallback() calls kmalloc with GFP_ATOMIC,
which waits busily for allocation.
GFP_ATOMIC is not necessary and can be replaced with GFP_KERNEL
to avoid busy waiting.
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-J
ice() calls kzalloc with GFP_ATOMIC,
which waits busily for allocation.
GFP_ATOMIC is not necessary and can be replaced with GFP_KERNEL
to avoid busy waiting.
This is found by a static analysis tool named DCNS written by myself.
Signed-off-by: Jia-Ju Bai
---
drivers/pci/host/pci-hyperv.c | 2 +-
1 f
On 2018/3/19 10:52, KY Srinivasan wrote:
-Original Message-
From: Jia-Ju Bai
Sent: Sunday, March 18, 2018 7:53 AM
To: KY Srinivasan ; Haiyang Zhang
; Stephen Hemminger
; bhelg...@google.com
Cc: de...@linuxdriverproject.org; linux-...@vger.kernel.org; linux-
ker...@vger.kernel.org
On 2018/3/19 16:38, Dan Carpenter wrote:
On Sun, Mar 18, 2018 at 10:53:02PM +0800, Jia-Ju Bai wrote:
hv_pci_onchannelcallback() is not called in atomic context.
The call chain ending up at hv_pci_onchannelcallback() is:
[1] hv_pci_onchannelcallback() <- hv_pci_probe()
hv_pci_probe() is o
On 2018/5/9 4:17, Rafael J. Wysocki wrote:
On Tue, May 8, 2018 at 5:08 AM, Jia-Ju Bai wrote:
The write operation to "hotplug->enabled" is protected by
the lock on line 1760, but the read operation to
this data on line 1755 is not protected by the lock.
Thus, there may exist a
ations to "dev->stats" are
protected by the spinlock, and a local variable is used for return.
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/8390/lib8390.c | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/8390/lib8390.c
b/dr
On 2018/5/7 22:15, Eric Dumazet wrote:
On 05/07/2018 07:08 AM, Jia-Ju Bai wrote:
The write operations to "dev->stats" are protected by
the spinlock on line 862-864, but the read operations to
this data on line 858 and 867 are not protected by the spinlock.
Thus, there may exi
On 2018/5/8 9:56, Eric Dumazet wrote:
On 05/07/2018 05:51 PM, Jia-Ju Bai wrote:
On 2018/5/7 22:15, Eric Dumazet wrote:
On 05/07/2018 07:08 AM, Jia-Ju Bai wrote:
The write operations to "dev->stats" are protected by
the spinlock on line 862-864, but the read operations to
this
quot;hotplug->enabled" is
also protected by the lock.
Signed-off-by: Jia-Ju Bai
---
drivers/acpi/scan.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
index 970dd87d347c..e21d7b0f7179 100644
--- a/drivers/acpi/scan.c
+++ b/d
401 - 500 of 755 matches
Mail list logo
