From: Jia-Ju Bai <baijiaju1990@163.com>
Date: Tue, 12 Dec 2017 08:49:52 +0000 (+0800)
Subject: hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=e94fc847bd6e405e7c2b8849e52c102070777387;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git

hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close


[ Upstream commit 6e266610eb6553cfb7e7eb5d11914bd01509c406 ]

The driver may sleep under a spinlock.
The function call path is:
rr_close (acquire the spinlock)
  free_irq --> may sleep

To fix it, free_irq is moved to the place without holding the spinlock.

This bug is found by my static analysis tool(DSAC) and checked by my code review.

Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/net/hippi/rrunner.c b/drivers/net/hippi/rrunner.c
index 71ddadbf2368..d7ba2b813eff 100644
--- a/drivers/net/hippi/rrunner.c
+++ b/drivers/net/hippi/rrunner.c
@@ -1381,8 +1381,8 @@ static int rr_close(struct net_device *dev)
 			    rrpriv->info_dma);
 	rrpriv->info = NULL;
 
-	free_irq(pdev->irq, dev);
 	spin_unlock_irqrestore(&rrpriv->lock, flags);
+	free_irq(pdev->irq, dev);
 
 	return 0;
 }