diff mbox

[v2] ath10k: Protect ath10k_htt_rx_ring_free with rx_ring.lock

Message ID 1529006895-5105-1-git-send-email-greearb@candelatech.com (mailing list archive)
State Accepted
Commit 168f75f11fe68455e0d058a818ebccfc329d8685
Delegated to: Kalle Valo
Headers show

Commit Message

Ben Greear June 14, 2018, 8:08 p.m. UTC
From: Ben Greear <greearb@candelatech.com>

While debugging driver crashes related to a buggy firmware
crashing under load, I noticed that ath10k_htt_rx_ring_free
could be called without being under lock.  I'm not sure if this
is the root cause of the crash or not, but it seems prudent to
protect it.

Originally tested on 4.16+ kernel with ath10k-ct 10.4 firmware
running on 9984 NIC.

Signed-off-by: Ben Greear <greearb@candelatech.com>
---

v2:  Update description to specify how it was tested.
     Generate patch against linux-ath tree (original patch applied with offset)

 drivers/net/wireless/ath/ath10k/htt_rx.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Kalle Valo June 28, 2018, 9:50 a.m. UTC | #1
Ben Greear <greearb@candelatech.com> wrote:

> While debugging driver crashes related to a buggy firmware
> crashing under load, I noticed that ath10k_htt_rx_ring_free
> could be called without being under lock.  I'm not sure if this
> is the root cause of the crash or not, but it seems prudent to
> protect it.
> 
> Originally tested on 4.16+ kernel with ath10k-ct 10.4 firmware
> running on 9984 NIC.
> 
> Signed-off-by: Ben Greear <greearb@candelatech.com>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

Patch applied to ath-next branch of ath.git, thanks.

168f75f11fe6 ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock
diff mbox

Patch

diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
index bd23f69..ccd03f8 100644
--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
@@ -268,11 +268,12 @@  int ath10k_htt_rx_ring_refill(struct ath10k *ar)
 	spin_lock_bh(&htt->rx_ring.lock);
 	ret = ath10k_htt_rx_ring_fill_n(htt, (htt->rx_ring.fill_level -
 					      htt->rx_ring.fill_cnt));
-	spin_unlock_bh(&htt->rx_ring.lock);
 
 	if (ret)
 		ath10k_htt_rx_ring_free(htt);
 
+	spin_unlock_bh(&htt->rx_ring.lock);
+
 	return ret;
 }
 
@@ -284,7 +285,9 @@  void ath10k_htt_rx_free(struct ath10k_htt *htt)
 	skb_queue_purge(&htt->rx_in_ord_compl_q);
 	skb_queue_purge(&htt->tx_fetch_ind_q);
 
+	spin_lock_bh(&htt->rx_ring.lock);
 	ath10k_htt_rx_ring_free(htt);
+	spin_unlock_bh(&htt->rx_ring.lock);
 
 	dma_free_coherent(htt->ar->dev,
 			  ath10k_htt_get_rx_ring_size(htt),