bna: Eliminate Small Race Condition Window in RX Path

Change details: - In a continuous sequence of ifconfig up/down operations, there is a small window of race between bnad_set_rx_mode() and bnad_cleanup_rx() while the former tries to access rx_info->rx & the latter sets it to NULL. This race could lead to bna_rx_mode_set() being called with a NULL (rx_info->rx) pointer and a crash. - Hold bnad->bna_lock while setting / unsetting rx_info->rx in bnad_setup_rx() & bnad_cleanup_rx(), thereby eliminating the race described above. Signed-off-by: Gurunatha Karaje <gkaraje@brocade.com> Signed-off-by: Rasesh Mody <rmody@brocade.com> Signed-off-by: David S. Miller <davem@davemloft.net>
git-mirror · Sep 17, 2011 · b9fa1fb · b9fa1fb
1 parent 3fb9852
commit b9fa1fb
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/drivers/net/ethernet/brocade/bna/bnad.c b/drivers/net/ethernet/brocade/bna/bnad.c
@@ -1875,10 +1875,10 @@ bnad_cleanup_rx(struct bnad *bnad, u32 rx_id)
 
 	spin_lock_irqsave(&bnad->bna_lock, flags);
 	bna_rx_destroy(rx_info->rx);
-	spin_unlock_irqrestore(&bnad->bna_lock, flags);
 
 	rx_info->rx = NULL;
 	rx_info->rx_id = 0;
+	spin_unlock_irqrestore(&bnad->bna_lock, flags);
 
 	bnad_rx_res_free(bnad, res_info);
 }
@@ -1932,12 +1932,13 @@ bnad_setup_rx(struct bnad *bnad, u32 rx_id)
 	spin_lock_irqsave(&bnad->bna_lock, flags);
 	rx = bna_rx_create(&bnad->bna, bnad, rx_config, &rx_cbfn, res_info,
 			rx_info);
-	spin_unlock_irqrestore(&bnad->bna_lock, flags);
 	if (!rx) {
 		err = -ENOMEM;
+		spin_unlock_irqrestore(&bnad->bna_lock, flags);
 		goto err_return;
 	}
 	rx_info->rx = rx;
+	spin_unlock_irqrestore(&bnad->bna_lock, flags);
 
 	/*
 	 * Init NAPI, so that state is set to NAPI_STATE_SCHED,