wimax i2400m: fix race condition while accessing rx_roq by using kref count
authorPrasanna S. Panchamukhi <prasannax.s.panchamukhi@intel.com>
Tue, 13 Apr 2010 23:35:58 +0000 (16:35 -0700)
committerInaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
Tue, 11 May 2010 21:08:23 +0000 (14:08 -0700)
commitd11a6e4495ee1fbb38b59bc88d49d050d3736929
tree08afc7d7909dc451878f2ec04747071e2999e6e4
parentded0fd62a8a7cb3b12bb007079bff2b858a12d2b
wimax i2400m: fix race condition while accessing rx_roq by using kref count

This patch fixes the race condition when one thread tries to destroy
the memory allocated for rx_roq, while another thread still happen
to access rx_roq.
Such a race condition occurs when i2400m-sdio kernel module gets
unloaded, destroying the memory allocated for rx_roq while rx_roq
is accessed by i2400m_rx_edata(), as explained below:
$thread1                                $thread2
$ void i2400m_rx_edata()                $
$Access rx_roq[]                        $
$roq = &i2400m->rx_roq[ro_cin]          $
$ i2400m_roq_[reset/queue/update_ws]    $
$                                       $ void i2400m_rx_release();
$                                       $kfree(rx->roq);
$                                       $rx->roq = NULL;
$Oops! rx_roq is NULL

This patch fixes the race condition using refcount approach.

Signed-off-by: Prasanna S. Panchamukhi <prasannax.s.panchamukhi@intel.com>
drivers/net/wimax/i2400m/i2400m.h
drivers/net/wimax/i2400m/rx.c