--- /dev/null
+From 65f69851e44d71248b952a687e44759a7abb5016 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Tue, 7 Mar 2023 23:29:17 +0800
+Subject: igb: revert rtnl_lock() that causes deadlock
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit 65f69851e44d71248b952a687e44759a7abb5016 upstream.
+
+The commit 6faee3d4ee8b ("igb: Add lock to avoid data race") adds
+rtnl_lock to eliminate a false data race shown below
+
+ (FREE from device detaching) | (USE from netdev core)
+igb_remove | igb_ndo_get_vf_config
+ igb_disable_sriov | vf >= adapter->vfs_allocated_count?
+ kfree(adapter->vf_data) |
+ adapter->vfs_allocated_count = 0 |
+ | memcpy(... adapter->vf_data[vf]
+
+The above race will never happen and the extra rtnl_lock causes deadlock
+below
+
+[ 141.420169] <TASK>
+[ 141.420672] __schedule+0x2dd/0x840
+[ 141.421427] schedule+0x50/0xc0
+[ 141.422041] schedule_preempt_disabled+0x11/0x20
+[ 141.422678] __mutex_lock.isra.13+0x431/0x6b0
+[ 141.423324] unregister_netdev+0xe/0x20
+[ 141.423578] igbvf_remove+0x45/0xe0 [igbvf]
+[ 141.423791] pci_device_remove+0x36/0xb0
+[ 141.423990] device_release_driver_internal+0xc1/0x160
+[ 141.424270] pci_stop_bus_device+0x6d/0x90
+[ 141.424507] pci_stop_and_remove_bus_device+0xe/0x20
+[ 141.424789] pci_iov_remove_virtfn+0xba/0x120
+[ 141.425452] sriov_disable+0x2f/0xf0
+[ 141.425679] igb_disable_sriov+0x4e/0x100 [igb]
+[ 141.426353] igb_remove+0xa0/0x130 [igb]
+[ 141.426599] pci_device_remove+0x36/0xb0
+[ 141.426796] device_release_driver_internal+0xc1/0x160
+[ 141.427060] driver_detach+0x44/0x90
+[ 141.427253] bus_remove_driver+0x55/0xe0
+[ 141.427477] pci_unregister_driver+0x2a/0xa0
+[ 141.428296] __x64_sys_delete_module+0x141/0x2b0
+[ 141.429126] ? mntput_no_expire+0x4a/0x240
+[ 141.429363] ? syscall_trace_enter.isra.19+0x126/0x1a0
+[ 141.429653] do_syscall_64+0x5b/0x80
+[ 141.429847] ? exit_to_user_mode_prepare+0x14d/0x1c0
+[ 141.430109] ? syscall_exit_to_user_mode+0x12/0x30
+[ 141.430849] ? do_syscall_64+0x67/0x80
+[ 141.431083] ? syscall_exit_to_user_mode_prepare+0x183/0x1b0
+[ 141.431770] ? syscall_exit_to_user_mode+0x12/0x30
+[ 141.432482] ? do_syscall_64+0x67/0x80
+[ 141.432714] ? exc_page_fault+0x64/0x140
+[ 141.432911] entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Since the igb_disable_sriov() will call pci_disable_sriov() before
+releasing any resources, the netdev core will synchronize the cleanup to
+avoid any races. This patch removes the useless rtnl_(un)lock to guarantee
+correctness.
+
+CC: stable@vger.kernel.org
+Fixes: 6faee3d4ee8b ("igb: Add lock to avoid data race")
+Reported-by: Corinna Vinschen <vinschen@redhat.com>
+Link: https://lore.kernel.org/intel-wired-lan/ZAcJvkEPqWeJHO2r@calimero.vinschen.de/
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Tested-by: Corinna Vinschen <vinschen@redhat.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -2990,9 +2990,7 @@ static void igb_remove(struct pci_dev *p
+ igb_release_hw_control(adapter);
+
+ #ifdef CONFIG_PCI_IOV
+- rtnl_lock();
+ igb_disable_sriov(pdev);
+- rtnl_unlock();
+ #endif
+
+ unregister_netdev(netdev);
sh-sanitize-the-flags-on-sigreturn.patch
scsi-core-add-blist_skip_vpd_pages-for-skhynix-h28u74301amr.patch
usb-gadget-u_audio-don-t-let-userspace-block-driver-unbind.patch
+igb-revert-rtnl_lock-that-causes-deadlock.patch
+usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch
+usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch
--- /dev/null
+From 3670de80678961eda7fa2220883fc77c16868951 Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Fri, 17 Mar 2023 14:15:15 +0800
+Subject: usb: chipdea: core: fix return -EINVAL if request role is the same with current role
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit 3670de80678961eda7fa2220883fc77c16868951 upstream.
+
+It should not return -EINVAL if the request role is the same with current
+role, return non-error and without do anything instead.
+
+Fixes: a932a8041ff9 ("usb: chipidea: core: add sysfs group")
+cc: <stable@vger.kernel.org>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Link: https://lore.kernel.org/r/20230317061516.2451728-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/chipidea/core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/chipidea/core.c
++++ b/drivers/usb/chipidea/core.c
+@@ -875,9 +875,12 @@ static ssize_t ci_role_store(struct devi
+ strlen(ci->roles[role]->name)))
+ break;
+
+- if (role == CI_ROLE_END || role == ci->role)
++ if (role == CI_ROLE_END)
+ return -EINVAL;
+
++ if (role == ci->role)
++ return n;
++
+ pm_runtime_get_sync(dev);
+ disable_irq(ci->irq);
+ ci_role_stop(ci);
--- /dev/null
+From 451b15ed138ec15bffbebb58a00ebdd884c3e659 Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Fri, 17 Mar 2023 14:15:16 +0800
+Subject: usb: chipidea: core: fix possible concurrent when switch role
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit 451b15ed138ec15bffbebb58a00ebdd884c3e659 upstream.
+
+The user may call role_store() when driver is handling
+ci_handle_id_switch() which is triggerred by otg event or power lost
+event. Unfortunately, the controller may go into chaos in this case.
+Fix this by protecting it with mutex lock.
+
+Fixes: a932a8041ff9 ("usb: chipidea: core: add sysfs group")
+cc: <stable@vger.kernel.org>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Link: https://lore.kernel.org/r/20230317061516.2451728-2-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/chipidea/ci.h | 2 ++
+ drivers/usb/chipidea/core.c | 8 +++++++-
+ drivers/usb/chipidea/otg.c | 5 ++++-
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/chipidea/ci.h
++++ b/drivers/usb/chipidea/ci.h
+@@ -205,6 +205,7 @@ struct hw_bank {
+ * @in_lpm: if the core in low power mode
+ * @wakeup_int: if wakeup interrupt occur
+ * @rev: The revision number for controller
++ * @mutex: protect code from concorrent running when doing role switch
+ */
+ struct ci_hdrc {
+ struct device *dev;
+@@ -259,6 +260,7 @@ struct ci_hdrc {
+ bool in_lpm;
+ bool wakeup_int;
+ enum ci_revision rev;
++ struct mutex mutex;
+ };
+
+ static inline struct ci_role_driver *ci_role(struct ci_hdrc *ci)
+--- a/drivers/usb/chipidea/core.c
++++ b/drivers/usb/chipidea/core.c
+@@ -878,8 +878,12 @@ static ssize_t ci_role_store(struct devi
+ if (role == CI_ROLE_END)
+ return -EINVAL;
+
+- if (role == ci->role)
++ mutex_lock(&ci->mutex);
++
++ if (role == ci->role) {
++ mutex_unlock(&ci->mutex);
+ return n;
++ }
+
+ pm_runtime_get_sync(dev);
+ disable_irq(ci->irq);
+@@ -889,6 +893,7 @@ static ssize_t ci_role_store(struct devi
+ ci_handle_vbus_change(ci);
+ enable_irq(ci->irq);
+ pm_runtime_put_sync(dev);
++ mutex_unlock(&ci->mutex);
+
+ return (ret == 0) ? n : ret;
+ }
+@@ -927,6 +932,7 @@ static int ci_hdrc_probe(struct platform
+ return -ENOMEM;
+
+ spin_lock_init(&ci->lock);
++ mutex_init(&ci->mutex);
+ ci->dev = dev;
+ ci->platdata = dev_get_platdata(dev);
+ ci->imx28_write_fix = !!(ci->platdata->flags &
+--- a/drivers/usb/chipidea/otg.c
++++ b/drivers/usb/chipidea/otg.c
+@@ -167,8 +167,10 @@ static int hw_wait_vbus_lower_bsv(struct
+
+ static void ci_handle_id_switch(struct ci_hdrc *ci)
+ {
+- enum ci_role role = ci_otg_role(ci);
++ enum ci_role role;
+
++ mutex_lock(&ci->mutex);
++ role = ci_otg_role(ci);
+ if (role != ci->role) {
+ dev_dbg(ci->dev, "switching from %s to %s\n",
+ ci_role(ci)->name, ci->roles[role]->name);
+@@ -191,6 +193,7 @@ static void ci_handle_id_switch(struct c
+ if (role == CI_ROLE_GADGET)
+ ci_handle_vbus_change(ci);
+ }
++ mutex_unlock(&ci->mutex);
+ }
+ /**
+ * ci_otg_work - perform otg (vbus/id) event handle
projects / thirdparty / kernel / stable-queue.git / commitdiff
