ath9k_htc: Fix bug in aggregation initiation

Accessing the sta pointer in TX completion without
approprate RCU protection is wrong. Fix this.

Also, RCU protection is needed when the station's
aggregation state is updated. Handle this properly.

Signed-off-by: Sujith <Sujith.Manoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

1 files changed, 12 insertions, 13 deletions

diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_main.c b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
index e5f78c7b2b1..90b13ed1ae4 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_main.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
@@ -412,32 +412,31 @@ static int ath9k_htc_aggr_oper(struct ath9k_htc_priv *priv,
 	if (tid > ATH9K_HTC_MAX_TID)
 		return -EINVAL;
 
+	memset(&aggr, 0, sizeof(struct ath9k_htc_target_aggr));
+
 	rcu_read_lock();
+
+	/* Check if we are able to retrieve the station */
 	sta = ieee80211_find_sta(vif, sta_addr);
-	if (sta) {
-		ista = (struct ath9k_htc_sta *) sta->drv_priv;
-	} else {
+	if (!sta) {
 		rcu_read_unlock();
 		return -EINVAL;
 	}
 
-	if (!ista) {
-		rcu_read_unlock();
-		return -EINVAL;
-	}
+	ista = (struct ath9k_htc_sta *) sta->drv_priv;
 
-	memset(&aggr, 0, sizeof(struct ath9k_htc_target_aggr));
+	if (oper)
+		ista->tid_state[tid] = AGGR_START;
+	else
+		ista->tid_state[tid] = AGGR_STOP;
 
 	aggr.sta_index = ista->index;
+
 	rcu_read_unlock();
+
 	aggr.tidno = tid;
 	aggr.aggr_enable = oper;
 
-	if (oper)
-		ista->tid_state[tid] = AGGR_START;
-	else
-		ista->tid_state[tid] = AGGR_STOP;
-
 	WMI_CMD_BUF(WMI_TX_AGGR_ENABLE_CMDID, &aggr);
 	if (ret)
 		ath_print(common, ATH_DBG_CONFIG,