From 0a74fc5b10ffb17da776652faef356cee57e62d8 Mon Sep 17 00:00:00 2001
From: Govind Singh <govinds@codeaurora.org>
Date: Sat, 12 Mar 2016 09:26:52 +0530
Subject: [PATCH] qcacmn: Protect rx execution context for wmi events

wmi rx event context can be modified at runtime by
upper layers. Protect rx execution context for wmi events
to avoid race conditions.

Change-Id: I7eed7108d09f8f39432990b2ebfef29a41bfa9aa
CRs-Fixed: 983619
---
 wmi/inc/wmi_unified_priv.h | 1 +
 wmi/src/wmi_unified.c      | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/wmi/inc/wmi_unified_priv.h b/wmi/inc/wmi_unified_priv.h
index b0d16cc5f3..b6069fc200 100644
--- a/wmi/inc/wmi_unified_priv.h
+++ b/wmi/inc/wmi_unified_priv.h
@@ -621,6 +621,7 @@ struct wmi_unified {
 	struct wmi_ops *ops;
 	void *event_handler_cookie[WMI_UNIFIED_MAX_EVENT];
 	bool use_cookie;
+	qdf_spinlock_t ctx_lock;
 };
 struct wmi_ops *wmi_get_tlv_ops(void);
 struct wmi_ops *wmi_get_non_tlv_ops(void);
diff --git a/wmi/src/wmi_unified.c b/wmi/src/wmi_unified.c
index 8ef2bd81bc..1f29fcc1a3 100644
--- a/wmi/src/wmi_unified.c
+++ b/wmi/src/wmi_unified.c
@@ -967,7 +967,9 @@ int wmi_unified_register_event_handler(wmi_unified_t wmi_handle,
 	idx = wmi_handle->max_event_idx;
 	wmi_handle->event_handler[idx] = handler_func;
 	wmi_handle->event_id[idx] = event_id;
+	qdf_spin_lock_bh(&wmi_handle->ctx_lock);
 	wmi_handle->ctx[idx] = rx_ctx;
+	qdf_spin_unlock_bh(&wmi_handle->ctx_lock);
 	wmi_handle->max_event_idx++;
 
 	return 0;
@@ -1082,7 +1084,9 @@ void wmi_control_rx(void *ctx, HTC_PACKET *htc_packet)
 		qdf_nbuf_free(evt_buf);
 		return;
 	}
+	qdf_spin_lock_bh(&wmi_handle->ctx_lock);
 	exec_ctx = wmi_handle->ctx[idx];
+	qdf_spin_unlock_bh(&wmi_handle->ctx_lock);
 
 	if (exec_ctx == WMI_RX_WORK_CTX) {
 		wmi_process_fw_event_worker_thread_ctx
@@ -1282,6 +1286,7 @@ void *wmi_unified_attach(void *scn_handle,
 	/* Assign target cookie capablity */
 	wmi_handle->use_cookie = use_cookie;
 	wmi_handle->osdev = osdev;
+	qdf_spinlock_create(&wmi_handle->ctx_lock);
 
 	return wmi_handle;
 }
@@ -1305,6 +1310,7 @@ void wmi_unified_detach(struct wmi_unified *wmi_handle)
 		buf = qdf_nbuf_queue_remove(&wmi_handle->event_queue);
 	}
 	qdf_spin_unlock_bh(&wmi_handle->eventq_lock);
+	qdf_spinlock_destroy(&wmi_handle->ctx_lock);
 	if (wmi_handle != NULL) {
 		OS_FREE(wmi_handle);
 		wmi_handle = NULL;