Commit 8c86f757 authored by Dedy Lansky's avatar Dedy Lansky Committed by John W. Linville
Browse files

wil6210: fix race condition of disconnect while BACK event 



This race condition was causing double free of tid_ampdu_rx structures

Signed-off-by: default avatarDedy Lansky <qca_dlansky@qca.qualcomm.com>
Signed-off-by: default avatarVladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 871d8c4b

drivers/net/wireless/ath/wil6210/wmi.c

+7 −2
Original line number Diff line number Diff line
@@ -597,16 +597,18 @@ static void wmi_evt_ba_status(struct wil6210_priv *wil, int id, void *d, 
		return;

	}



	mutex_lock(&wil->mutex);



	cid = wil->vring2cid_tid[evt->ringid][0];

	if (cid >= WIL6210_MAX_CID) {

		wil_err(wil, "invalid CID %d for vring %d\n", cid, evt->ringid);

		return;

		goto out;

	}



	sta = &wil->sta[cid];

	if (sta->status == wil_sta_unused) {

		wil_err(wil, "CID %d unused\n", cid);

		return;

		goto out;

	}



	wil_dbg_wmi(wil, "BACK for CID %d %pM\n", cid, sta->addr);
@@ -618,6 +620,9 @@ static void wmi_evt_ba_status(struct wil6210_priv *wil, int id, void *d, 
			sta->tid_rx[i] = wil_tid_ampdu_rx_alloc(wil,

						evt->agg_wsize, 0);

	}



out:

	mutex_unlock(&wil->mutex);

}



static const struct {