git.ipfire.org Git - thirdparty/linux.git/commit

author	Runyu Xiao <runyu.xiao@seu.edu.cn>
	Fri, 19 Jun 2026 15:18:16 +0000 (23:18 +0800)
committer	Jakub Kicinski <kuba@kernel.org>
	Wed, 24 Jun 2026 02:10:29 +0000 (19:10 -0700)
commit	f48763beab4eea41fc480c9702ec6eebe8d75e4f
tree	a6c54cf10a9a1d0a11a790dbd8bc311eb05f3d1e	tree \| snapshot
parent	9f58a0a4d6c2ed5d341bba64f058f15d1b0c36f2	commit \| diff

net: au1000: move free_irq out of the close-time spinlocked section

au1000_close() calls free_irq() while aup->lock is still held with
spin_lock_irqsave(). free_irq() can sleep because it takes the IRQ
descriptor request mutex, so it does not belong inside the close-time
spinlocked section.

This was found by our static analysis tool and then confirmed by manual
review of the in-tree au1000_close() .ndo_stop path. The reviewed path
keeps aup->lock held across the MAC reset, queue stop and
free_irq(dev->irq, dev).

A directed runtime validation kept that ndo_stop carrier and the same
free_irq(dev->irq, dev) operation under the driver lock. Lockdep reported
"BUG: sleeping function called from invalid context" and "Invalid wait
context" while free_irq() was taking desc->request_mutex, with
au1000_close() and free_irq() on the stack.

Drop aup->lock before freeing the IRQ. The protected close-time work still
stops the device and queue before IRQ teardown, but the sleepable IRQ core
path now runs outside the spinlocked section.

Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260619151816.1144289-1-runyu.xiao@seu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>