From: Greg Kroah-Hartman Date: Tue, 28 Mar 2023 12:03:27 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v5.15.105~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6b068b268eb05d7e4ab7162981ee087961b6cc03;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: igb-revert-rtnl_lock-that-causes-deadlock.patch usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch --- diff --git a/queue-4.14/igb-revert-rtnl_lock-that-causes-deadlock.patch b/queue-4.14/igb-revert-rtnl_lock-that-causes-deadlock.patch new file mode 100644 index 00000000000..cd29eaf808c --- /dev/null +++ b/queue-4.14/igb-revert-rtnl_lock-that-causes-deadlock.patch @@ -0,0 +1,87 @@ +From 65f69851e44d71248b952a687e44759a7abb5016 Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Tue, 7 Mar 2023 23:29:17 +0800 +Subject: igb: revert rtnl_lock() that causes deadlock + +From: Lin Ma + +commit 65f69851e44d71248b952a687e44759a7abb5016 upstream. + +The commit 6faee3d4ee8b ("igb: Add lock to avoid data race") adds +rtnl_lock to eliminate a false data race shown below + + (FREE from device detaching) | (USE from netdev core) +igb_remove | igb_ndo_get_vf_config + igb_disable_sriov | vf >= adapter->vfs_allocated_count? + kfree(adapter->vf_data) | + adapter->vfs_allocated_count = 0 | + | memcpy(... adapter->vf_data[vf] + +The above race will never happen and the extra rtnl_lock causes deadlock +below + +[ 141.420169] +[ 141.420672] __schedule+0x2dd/0x840 +[ 141.421427] schedule+0x50/0xc0 +[ 141.422041] schedule_preempt_disabled+0x11/0x20 +[ 141.422678] __mutex_lock.isra.13+0x431/0x6b0 +[ 141.423324] unregister_netdev+0xe/0x20 +[ 141.423578] igbvf_remove+0x45/0xe0 [igbvf] +[ 141.423791] pci_device_remove+0x36/0xb0 +[ 141.423990] device_release_driver_internal+0xc1/0x160 +[ 141.424270] pci_stop_bus_device+0x6d/0x90 +[ 141.424507] pci_stop_and_remove_bus_device+0xe/0x20 +[ 141.424789] pci_iov_remove_virtfn+0xba/0x120 +[ 141.425452] sriov_disable+0x2f/0xf0 +[ 141.425679] igb_disable_sriov+0x4e/0x100 [igb] +[ 141.426353] igb_remove+0xa0/0x130 [igb] +[ 141.426599] pci_device_remove+0x36/0xb0 +[ 141.426796] device_release_driver_internal+0xc1/0x160 +[ 141.427060] driver_detach+0x44/0x90 +[ 141.427253] bus_remove_driver+0x55/0xe0 +[ 141.427477] pci_unregister_driver+0x2a/0xa0 +[ 141.428296] __x64_sys_delete_module+0x141/0x2b0 +[ 141.429126] ? mntput_no_expire+0x4a/0x240 +[ 141.429363] ? syscall_trace_enter.isra.19+0x126/0x1a0 +[ 141.429653] do_syscall_64+0x5b/0x80 +[ 141.429847] ? exit_to_user_mode_prepare+0x14d/0x1c0 +[ 141.430109] ? syscall_exit_to_user_mode+0x12/0x30 +[ 141.430849] ? do_syscall_64+0x67/0x80 +[ 141.431083] ? syscall_exit_to_user_mode_prepare+0x183/0x1b0 +[ 141.431770] ? syscall_exit_to_user_mode+0x12/0x30 +[ 141.432482] ? do_syscall_64+0x67/0x80 +[ 141.432714] ? exc_page_fault+0x64/0x140 +[ 141.432911] entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Since the igb_disable_sriov() will call pci_disable_sriov() before +releasing any resources, the netdev core will synchronize the cleanup to +avoid any races. This patch removes the useless rtnl_(un)lock to guarantee +correctness. + +CC: stable@vger.kernel.org +Fixes: 6faee3d4ee8b ("igb: Add lock to avoid data race") +Reported-by: Corinna Vinschen +Link: https://lore.kernel.org/intel-wired-lan/ZAcJvkEPqWeJHO2r@calimero.vinschen.de/ +Signed-off-by: Lin Ma +Tested-by: Corinna Vinschen +Reviewed-by: Jacob Keller +Reviewed-by: Simon Horman +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/igb/igb_main.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -2990,9 +2990,7 @@ static void igb_remove(struct pci_dev *p + igb_release_hw_control(adapter); + + #ifdef CONFIG_PCI_IOV +- rtnl_lock(); + igb_disable_sriov(pdev); +- rtnl_unlock(); + #endif + + unregister_netdev(netdev); diff --git a/queue-4.14/series b/queue-4.14/series index c71f6889491..3fb9e13c11a 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -30,3 +30,6 @@ net-usb-qmi_wwan-add-telit-0x1080-composition.patch sh-sanitize-the-flags-on-sigreturn.patch scsi-core-add-blist_skip_vpd_pages-for-skhynix-h28u74301amr.patch usb-gadget-u_audio-don-t-let-userspace-block-driver-unbind.patch +igb-revert-rtnl_lock-that-causes-deadlock.patch +usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch +usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch diff --git a/queue-4.14/usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch b/queue-4.14/usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch new file mode 100644 index 00000000000..b5d536c6351 --- /dev/null +++ b/queue-4.14/usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch @@ -0,0 +1,38 @@ +From 3670de80678961eda7fa2220883fc77c16868951 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Fri, 17 Mar 2023 14:15:15 +0800 +Subject: usb: chipdea: core: fix return -EINVAL if request role is the same with current role + +From: Xu Yang + +commit 3670de80678961eda7fa2220883fc77c16868951 upstream. + +It should not return -EINVAL if the request role is the same with current +role, return non-error and without do anything instead. + +Fixes: a932a8041ff9 ("usb: chipidea: core: add sysfs group") +cc: +Acked-by: Peter Chen +Signed-off-by: Xu Yang +Link: https://lore.kernel.org/r/20230317061516.2451728-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -875,9 +875,12 @@ static ssize_t ci_role_store(struct devi + strlen(ci->roles[role]->name))) + break; + +- if (role == CI_ROLE_END || role == ci->role) ++ if (role == CI_ROLE_END) + return -EINVAL; + ++ if (role == ci->role) ++ return n; ++ + pm_runtime_get_sync(dev); + disable_irq(ci->irq); + ci_role_stop(ci); diff --git a/queue-4.14/usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch b/queue-4.14/usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch new file mode 100644 index 00000000000..7016647ad20 --- /dev/null +++ b/queue-4.14/usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch @@ -0,0 +1,98 @@ +From 451b15ed138ec15bffbebb58a00ebdd884c3e659 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Fri, 17 Mar 2023 14:15:16 +0800 +Subject: usb: chipidea: core: fix possible concurrent when switch role + +From: Xu Yang + +commit 451b15ed138ec15bffbebb58a00ebdd884c3e659 upstream. + +The user may call role_store() when driver is handling +ci_handle_id_switch() which is triggerred by otg event or power lost +event. Unfortunately, the controller may go into chaos in this case. +Fix this by protecting it with mutex lock. + +Fixes: a932a8041ff9 ("usb: chipidea: core: add sysfs group") +cc: +Acked-by: Peter Chen +Signed-off-by: Xu Yang +Link: https://lore.kernel.org/r/20230317061516.2451728-2-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/ci.h | 2 ++ + drivers/usb/chipidea/core.c | 8 +++++++- + drivers/usb/chipidea/otg.c | 5 ++++- + 3 files changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/usb/chipidea/ci.h ++++ b/drivers/usb/chipidea/ci.h +@@ -205,6 +205,7 @@ struct hw_bank { + * @in_lpm: if the core in low power mode + * @wakeup_int: if wakeup interrupt occur + * @rev: The revision number for controller ++ * @mutex: protect code from concorrent running when doing role switch + */ + struct ci_hdrc { + struct device *dev; +@@ -259,6 +260,7 @@ struct ci_hdrc { + bool in_lpm; + bool wakeup_int; + enum ci_revision rev; ++ struct mutex mutex; + }; + + static inline struct ci_role_driver *ci_role(struct ci_hdrc *ci) +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -878,8 +878,12 @@ static ssize_t ci_role_store(struct devi + if (role == CI_ROLE_END) + return -EINVAL; + +- if (role == ci->role) ++ mutex_lock(&ci->mutex); ++ ++ if (role == ci->role) { ++ mutex_unlock(&ci->mutex); + return n; ++ } + + pm_runtime_get_sync(dev); + disable_irq(ci->irq); +@@ -889,6 +893,7 @@ static ssize_t ci_role_store(struct devi + ci_handle_vbus_change(ci); + enable_irq(ci->irq); + pm_runtime_put_sync(dev); ++ mutex_unlock(&ci->mutex); + + return (ret == 0) ? n : ret; + } +@@ -927,6 +932,7 @@ static int ci_hdrc_probe(struct platform + return -ENOMEM; + + spin_lock_init(&ci->lock); ++ mutex_init(&ci->mutex); + ci->dev = dev; + ci->platdata = dev_get_platdata(dev); + ci->imx28_write_fix = !!(ci->platdata->flags & +--- a/drivers/usb/chipidea/otg.c ++++ b/drivers/usb/chipidea/otg.c +@@ -167,8 +167,10 @@ static int hw_wait_vbus_lower_bsv(struct + + static void ci_handle_id_switch(struct ci_hdrc *ci) + { +- enum ci_role role = ci_otg_role(ci); ++ enum ci_role role; + ++ mutex_lock(&ci->mutex); ++ role = ci_otg_role(ci); + if (role != ci->role) { + dev_dbg(ci->dev, "switching from %s to %s\n", + ci_role(ci)->name, ci->roles[role]->name); +@@ -191,6 +193,7 @@ static void ci_handle_id_switch(struct c + if (role == CI_ROLE_GADGET) + ci_handle_vbus_change(ci); + } ++ mutex_unlock(&ci->mutex); + } + /** + * ci_otg_work - perform otg (vbus/id) event handle