4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Greear greearb@candelatech.com
[ Upstream commit 168f75f11fe68455e0d058a818ebccfc329d8685 ]
While debugging driver crashes related to a buggy firmware crashing under load, I noticed that ath10k_htt_rx_ring_free could be called without being under lock. I'm not sure if this is the root cause of the crash or not, but it seems prudent to protect it.
Originally tested on 4.16+ kernel with ath10k-ct 10.4 firmware running on 9984 NIC.
Signed-off-by: Ben Greear greearb@candelatech.com Signed-off-by: Kalle Valo kvalo@codeaurora.org Signed-off-by: Sasha Levin alexander.levin@microsoft.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/net/wireless/ath/ath10k/htt_rx.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/ath/ath10k/htt_rx.c +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c @@ -212,11 +212,12 @@ int ath10k_htt_rx_ring_refill(struct ath spin_lock_bh(&htt->rx_ring.lock); ret = ath10k_htt_rx_ring_fill_n(htt, (htt->rx_ring.fill_level - htt->rx_ring.fill_cnt)); - spin_unlock_bh(&htt->rx_ring.lock);
if (ret) ath10k_htt_rx_ring_free(htt);
+ spin_unlock_bh(&htt->rx_ring.lock); + return ret; }
@@ -230,7 +231,9 @@ void ath10k_htt_rx_free(struct ath10k_ht skb_queue_purge(&htt->rx_compl_q); skb_queue_purge(&htt->rx_in_ord_compl_q);
+ spin_lock_bh(&htt->rx_ring.lock); ath10k_htt_rx_ring_free(htt); + spin_unlock_bh(&htt->rx_ring.lock);
dma_free_coherent(htt->ar->dev, (htt->rx_ring.size *