Under stressed conditions a race could happen when del_timer_sync() was called
from softirq context at the same time when mod_timer_pending() for the same
timer was called from the workqueue. This leaded to a state mismatch in the
CAIF HSI driver and following unexpected link wakeup procedure.
The fix puts del_timer_sync() and mod_timer_pending() calls under a spin lock
to protect against the race condition.
Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
return;
/* Update inactivity timer if pending. */
return;
/* Update inactivity timer if pending. */
+ spin_lock_bh(&cfhsi->lock);
mod_timer_pending(&cfhsi->timer, jiffies + CFHSI_INACTIVITY_TOUT);
mod_timer_pending(&cfhsi->timer, jiffies + CFHSI_INACTIVITY_TOUT);
+ spin_unlock_bh(&cfhsi->lock);
if (cfhsi->rx_state == CFHSI_RX_STATE_DESC) {
desc_pld_len = cfhsi_rx_desc(desc, cfhsi);
if (cfhsi->rx_state == CFHSI_RX_STATE_DESC) {
desc_pld_len = cfhsi_rx_desc(desc, cfhsi);
- spin_unlock_bh(&cfhsi->lock);
-
- if (!start_xfer)
+ if (!start_xfer) {
+ spin_unlock_bh(&cfhsi->lock);
/* Delete inactivity timer if started. */
#ifdef CONFIG_SMP
/* Delete inactivity timer if started. */
#ifdef CONFIG_SMP
timer_active = del_timer(&cfhsi->timer);
#endif /* CONFIG_SMP */
timer_active = del_timer(&cfhsi->timer);
#endif /* CONFIG_SMP */
+ spin_unlock_bh(&cfhsi->lock);
+
if (timer_active) {
struct cfhsi_desc *desc = (struct cfhsi_desc *)cfhsi->tx_buf;
int len;
if (timer_active) {
struct cfhsi_desc *desc = (struct cfhsi_desc *)cfhsi->tx_buf;
int len;