Return-path: Received: from mail2.candelatech.com ([208.74.158.173]:42968 "EHLO mail2.candelatech.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932973AbeFGQLm (ORCPT ); Thu, 7 Jun 2018 12:11:42 -0400 From: greearb@candelatech.com To: ath10k@lists.infradead.org, kvalo@codeaurora.org Cc: linux-wireless@vger.kernel.org, Ben Greear Subject: [PATCH] ath10k: Protect ath10k_htt_rx_ring_free with rx_ring.lock Date: Thu, 7 Jun 2018 09:11:37 -0700 Message-Id: <1528387897-6781-1-git-send-email-greearb@candelatech.com> (sfid-20180607_181206_098139_73BA5467) Sender: linux-wireless-owner@vger.kernel.org List-ID: From: Ben Greear While debugging driver crashes related to a buggy firmware crashing under load, I noticed that ath10k_htt_rx_ring_free could be called without being under lock. I'm not sure if this is the root cause of the crash or not, but it seems prudent to protect it. Signed-off-by: Ben Greear --- drivers/net/wireless/ath/ath10k/htt_rx.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c index d74901d..963ddc1 100644 --- a/drivers/net/wireless/ath/ath10k/htt_rx.c +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c @@ -266,11 +266,12 @@ int ath10k_htt_rx_ring_refill(struct ath10k *ar) spin_lock_bh(&htt->rx_ring.lock); ret = ath10k_htt_rx_ring_fill_n(htt, (htt->rx_ring.fill_level - htt->rx_ring.fill_cnt)); - spin_unlock_bh(&htt->rx_ring.lock); if (ret) ath10k_htt_rx_ring_free(htt); + spin_unlock_bh(&htt->rx_ring.lock); + return ret; } @@ -282,7 +283,9 @@ void ath10k_htt_rx_free(struct ath10k_htt *htt) skb_queue_purge(&htt->rx_in_ord_compl_q); skb_queue_purge(&htt->tx_fetch_ind_q); + spin_lock_bh(&htt->rx_ring.lock); ath10k_htt_rx_ring_free(htt); + spin_unlock_bh(&htt->rx_ring.lock); dma_free_coherent(htt->ar->dev, htt->rx_ops->htt_get_rx_ring_size(htt), -- 2.4.11