commit f22cf689a6353f072bca15d0a26f870e62dfacf8
author Cindy H Kao <cindy.h.kao@intel.com> Sat Jan 30 01:26:54 2010 -0800
committer Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com> Tue May 11 14:04:46 2010 -0700
tree 5a6a4907184bfa09aac6727030a501c3b8447a38
parent 570eb0ea65db625e0b11ca97f4ae857bc1193250

wimax/i2400m: fix the race condition for accessing TX queue

The race condition happens when the TX queue is accessed by
the TX work while the same TX queue is being destroyed because
a bus reset is triggered either by debugfs entry or simply
by failing waking up the device from WiMAX IDLE mode.

This fix is to prevent the TX queue from being accessed by
multiple threads

Signed-off-by: Cindy H Kao <cindy.h.kao@intel.com>

drivers/net/wimax/i2400m/sdio-tx.c

diff --git a/drivers/net/wimax/i2400m/sdio-tx.c b/drivers/net/wimax/i2400m/sdio-tx.c
index de66d06..412b6a8 100644
--- a/drivers/net/wimax/i2400m/sdio-tx.c
+++ b/drivers/net/wimax/i2400m/sdio-tx.c
@@ -114,13 +114,17 @@
 {
 	struct i2400ms *i2400ms = container_of(i2400m, struct i2400ms, i2400m);
 	struct device *dev = &i2400ms->func->dev;
+	unsigned long flags;
 
 	d_fnstart(3, dev, "(i2400m %p) = void\n", i2400m);
 
 	/* schedule tx work, this is because tx may block, therefore
 	 * it has to run in a thread context.
 	 */
-	queue_work(i2400ms->tx_workqueue, &i2400ms->tx_worker);
+	spin_lock_irqsave(&i2400m->tx_lock, flags);
+	if (i2400ms->tx_workqueue != NULL)
+		queue_work(i2400ms->tx_workqueue, &i2400ms->tx_worker);
+	spin_unlock_irqrestore(&i2400m->tx_lock, flags);
 
 	d_fnend(3, dev, "(i2400m %p) = void\n", i2400m);
 }
@@ -130,27 +134,40 @@
 	int result;
 	struct device *dev = &i2400ms->func->dev;
 	struct i2400m *i2400m = &i2400ms->i2400m;
+	struct workqueue_struct *tx_workqueue;
+	unsigned long flags;
 
 	d_fnstart(5, dev, "(i2400ms %p)\n", i2400ms);
 
 	INIT_WORK(&i2400ms->tx_worker, i2400ms_tx_submit);
 	snprintf(i2400ms->tx_wq_name, sizeof(i2400ms->tx_wq_name),
 		 "%s-tx", i2400m->wimax_dev.name);
-	i2400ms->tx_workqueue =
+	tx_workqueue =
 		create_singlethread_workqueue(i2400ms->tx_wq_name);
-	if (NULL == i2400ms->tx_workqueue) {
+	if (tx_workqueue == NULL) {
 		dev_err(dev, "TX: failed to create workqueue\n");
 		result = -ENOMEM;
 	} else
 		result = 0;
+	spin_lock_irqsave(&i2400m->tx_lock, flags);
+	i2400ms->tx_workqueue = tx_workqueue;
+	spin_unlock_irqrestore(&i2400m->tx_lock, flags);
 	d_fnend(5, dev, "(i2400ms %p) = %d\n", i2400ms, result);
 	return result;
 }
 
 void i2400ms_tx_release(struct i2400ms *i2400ms)
 {
-	if (i2400ms->tx_workqueue) {
-		destroy_workqueue(i2400ms->tx_workqueue);
-		i2400ms->tx_workqueue = NULL;
-	}
+	struct i2400m *i2400m = &i2400ms->i2400m;
+	struct workqueue_struct *tx_workqueue;
+	unsigned long flags;
+
+	tx_workqueue = i2400ms->tx_workqueue;
+
+	spin_lock_irqsave(&i2400m->tx_lock, flags);
+	i2400ms->tx_workqueue = NULL;
+	spin_unlock_irqrestore(&i2400m->tx_lock, flags);
+
+	if (tx_workqueue)
+		destroy_workqueue(tx_workqueue);
 }