1 files changed, 35 insertions, 0 deletions

diff --git a/package/kernel/mac80211/patches/317-brcmfmac-Fix-race-condition-in-msgbuf-ioctl-processi.patch b/package/kernel/mac80211/patches/317-brcmfmac-Fix-race-condition-in-msgbuf-ioctl-processi.patch
new file mode 100644
index 0000000000..e005fe73d2
--- /dev/null
+++ b/package/kernel/mac80211/patches/317-brcmfmac-Fix-race-condition-in-msgbuf-ioctl-processi.patch
@@ -0,0 +1,35 @@
+From: Hante Meuleman <meuleman@broadcom.com>
+Date: Fri, 6 Mar 2015 18:40:41 +0100
+Subject: [PATCH] brcmfmac: Fix race condition in msgbuf ioctl processing.
+
+Msgbuf is using a wait_event_timeout to wait for the response on
+an ioctl. The wakeup routine uses waitqueue_active to see if
+wait_event_timeout has been called. There is a chance that the
+response arrives before wait_event_timeout is called, this
+will result in situation that wait_event_timeout never gets
+woken again and assumed result will be a timeout. This patch
+removes that errornous situation by always setting the
+ctl_completed var before checking for queue active.
+
+Reviewed-by: Arend Van Spriel <arend@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
+Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
+Signed-off-by: Arend van Spriel <arend@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+
+--- a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
+@@ -481,10 +481,9 @@ static int brcmf_msgbuf_ioctl_resp_wait(
+ 
+ static void brcmf_msgbuf_ioctl_resp_wake(struct brcmf_msgbuf *msgbuf)
+ {
+-	if (waitqueue_active(&msgbuf->ioctl_resp_wait)) {
+-		msgbuf->ctl_completed = true;
++	msgbuf->ctl_completed = true;
++	if (waitqueue_active(&msgbuf->ioctl_resp_wait))
+ 		wake_up(&msgbuf->ioctl_resp_wait);
+-	}
+ }
+ 
+