From owner-freebsd-drivers@freebsd.org  Sun Jun 18 10:09:00 2017
Return-Path: <owner-freebsd-drivers@freebsd.org>
Delivered-To: freebsd-drivers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 63E78D8DB80;
 Sun, 18 Jun 2017 10:09:00 +0000 (UTC)
 (envelope-from baijiaju1990@163.com)
Received: from mproxygzt1.163.com (mproxygzt1.163.com [113.108.225.5])
 by mx1.freebsd.org (Postfix) with ESMTP id 0CE1D66844;
 Sun, 18 Jun 2017 10:08:28 +0000 (UTC)
 (envelope-from baijiaju1990@163.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
 s=s110527; h=From:Subject:Date:Message-Id; bh=nOOaVzsH9ndUjZyeP8
 ZGXJLEhu5QfMlzuRl5r1fHHbk=; b=GUqMq1RsJ9xfK+z2tCSyE61B7amZ49CKj3
 035k0zVCOa1L+CCaE4lryQfQS3FIVEtUQ214jOQsIbhQwCQhz62vCI1lsIFbIGEs
 9HxBR34WzRSHBtFblY6seukwnMU17KbMH0QbZOeypKg5x4RnFI4zoZ4ac0+j08JM
 i/2/1aZuw=
Received: from bai.tsinghua.edu.cn (unknown [166.111.70.9])
 by smtp13 (Coremail) with SMTP id EcCowADn_CxwTUZZ5pDELQ--.65496S2;
 Sun, 18 Jun 2017 17:52:52 +0800 (CST)
From: Jia-Ju Bai <baijiaju1990@163.com>
To: 
Cc: freebsd-drivers@freebsd.org, freebsd-acpi@freebsd.org,
 Jia-Ju Bai <baijiaju1990@163.com>
Subject: [Bug 220096][PATCH] acpi_thermal: Fix a possible sleep-under-mutex
 bug in acpi_tz_thread
Date: Sun, 18 Jun 2017 17:52:45 +0800
Message-Id: <20170618095245.40693-1-baijiaju1990@163.com>
X-Mailer: git-send-email 2.13.0
X-CM-TRANSID: EcCowADn_CxwTUZZ5pDELQ--.65496S2
X-Coremail-Antispam: 1Uf129KBjvdXoW7JF17Kr4Utr1DKFykCF4rKrg_yoWkKFc_ZF
 1kAryUWF4UZF1ftr1IyFWxZr9aqwsIgr1UZrWrJF97u34rKFWUuFs7Wr1fWrWxZrnFkrW3
 ur9093y3Ww1a9jkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
 9fnUUvcSsGvfC2KfnxnUUI43ZEXa7IUUpBT7UUUUU==
X-Originating-IP: [166.111.70.9]
X-CM-SenderInfo: xedlyx5dmximizq6il2tof0z/1tbiTRT6elc69sCy5wAAsX
X-BeenThere: freebsd-drivers@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Writing device drivers for FreeBSD <freebsd-drivers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-drivers>, 
 <mailto:freebsd-drivers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-drivers/>
List-Post: <mailto:freebsd-drivers@freebsd.org>
List-Help: <mailto:freebsd-drivers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-drivers>, 
 <mailto:freebsd-drivers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jun 2017 10:09:00 -0000

The driver may sleep under a mutex, and the code path is:
acpi_tz_thread [line 992: acquire the mutex]
acpi_tz_thread [line 993]
acpi_tz_thread [line 1003]
acpi_tz_thread [line 1004] (msleep is excuted)
acpi_tz_thread [line 1008]
acpi_tz_thread [line 970]
acpi_tz_thread [line 971]
acpi_tz_thread [line 975]
   malloc(M_WAITOK) [line 976]

The possible fix of this bug is to replace "M_WAITOK" in malloc with 
"M_NOWAIT".

This bug is found by a static analysis tool written by myself, and it is 
checked by my review of the FreeBSD code.

Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
---
 sys/dev/acpica/acpi_thermal.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/dev/acpica/acpi_thermal.c b/sys/dev/acpica/acpi_thermal.c
index b2b2a13aa88..fb9f44b5711 100644
--- a/sys/dev/acpica/acpi_thermal.c
+++ b/sys/dev/acpica/acpi_thermal.c
@@ -974,7 +974,7 @@ acpi_tz_thread(void *arg)
 	    }
 	    devclass_get_devices(acpi_tz_devclass, &devs, &devcount);
 	    sc = malloc(sizeof(struct acpi_tz_softc *) * devcount, M_TEMP,
-			M_WAITOK | M_ZERO);
+			M_NOWAIT | M_ZERO);
 	    for (i = 0; i < devcount; i++)
 		sc[i] = device_get_softc(devs[i]);
 	}
-- 
2.13.0