ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock

While debugging driver crashes related to a buggy firmware
crashing under load, I noticed that ath10k_htt_rx_ring_free
could be called without being under lock.  I'm not sure if this
is the root cause of the crash or not, but it seems prudent to
protect it.

Originally tested on 4.16+ kernel with ath10k-ct 10.4 firmware
running on 9984 NIC.

Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
index c72d8af122a28e19048c40f7072b4a9064d43e0b..2840ef75e3a6623379a915b938d5e4a5e7c8b3e4 100644 (file)
--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
@@ -268,11 +268,12 @@ int ath10k_htt_rx_ring_refill(struct ath10k *ar)
        spin_lock_bh(&htt->rx_ring.lock);
        ret = ath10k_htt_rx_ring_fill_n(htt, (htt->rx_ring.fill_level -
                                              htt->rx_ring.fill_cnt));
-       spin_unlock_bh(&htt->rx_ring.lock);
 
        if (ret)
                ath10k_htt_rx_ring_free(htt);
 
+       spin_unlock_bh(&htt->rx_ring.lock);
+
        return ret;
 }
 
@@ -284,7 +285,9 @@ void ath10k_htt_rx_free(struct ath10k_htt *htt)
        skb_queue_purge(&htt->rx_in_ord_compl_q);
        skb_queue_purge(&htt->tx_fetch_ind_q);
 
+       spin_lock_bh(&htt->rx_ring.lock);
        ath10k_htt_rx_ring_free(htt);
+       spin_unlock_bh(&htt->rx_ring.lock);
 
        dma_free_coherent(htt->ar->dev,
                          ath10k_htt_get_rx_ring_size(htt),