From: Rasesh Mody <rmody@brocade.com>
Date: Thu, 11 Aug 2011 11:59:10 -0700
Subject: bna: Eliminate Small Race Condition Window in RX Path
Git-commit: b9fa1fbf98178c8bbda23ff1d3ed0731bb3c0bd1
Patch-mainline: v3.2-rc1
References: FATE#311451 bnc#689230

Change details:
 - In a continuous sequence of ifconfig up/down operations, there is a small
   window of race between bnad_set_rx_mode() and bnad_cleanup_rx() while the
   former tries to access rx_info->rx & the latter sets it to NULL. This race
   could lead to bna_rx_mode_set() being called with a NULL (rx_info->rx)
   pointer and a crash.
 - Hold bnad->bna_lock while setting / unsetting rx_info->rx in bnad_setup_rx()
   & bnad_cleanup_rx(), thereby eliminating the race described above.

Signed-off-by: Rasesh Mody <rmody@brocade.com>
Acked-by: Jeff Mahoney <jeffm@suse.com>
---
 drivers/net/bna/bnad.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/bna/bnad.c b/drivers/net/bna/bnad.c
index 5e32bfa..0694ebc 100644
--- a/drivers/net/bna/bnad.c
+++ b/drivers/net/bna/bnad.c
@@ -1886,10 +1886,10 @@ bnad_cleanup_rx(struct bnad *bnad, u32 rx_id)
 
 	spin_lock_irqsave(&bnad->bna_lock, flags);
 	bna_rx_destroy(rx_info->rx);
-	spin_unlock_irqrestore(&bnad->bna_lock, flags);
 
 	rx_info->rx = NULL;
 	rx_info->rx_id = 0;
+	spin_unlock_irqrestore(&bnad->bna_lock, flags);
 
 	bnad_rx_res_free(bnad, res_info);
 }
@@ -1943,12 +1943,13 @@ bnad_setup_rx(struct bnad *bnad, u32 rx_id)
 	spin_lock_irqsave(&bnad->bna_lock, flags);
 	rx = bna_rx_create(&bnad->bna, bnad, rx_config, &rx_cbfn, res_info,
 			rx_info);
-	spin_unlock_irqrestore(&bnad->bna_lock, flags);
 	if (!rx) {
 		err = -ENOMEM;
+		spin_unlock_irqrestore(&bnad->bna_lock, flags);
 		goto err_return;
 	}
 	rx_info->rx = rx;
+	spin_unlock_irqrestore(&bnad->bna_lock, flags);
 
 	/*
 	 * Init NAPI, so that state is set to NAPI_STATE_SCHED,
-- 
1.7.1





