mac80211: fix some RX aggregation locking

	tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;

	spin_lock(&sta->lock);

	if (!sta->ampdu_mlme.tid_active_rx[tid])

		goto dont_reorder;

		goto dont_reorder_unlock;

	tid_agg_rx = sta->ampdu_mlme.tid_rx[tid];

	/* qos null data frames are excluded */

	if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))

		goto dont_reorder;

		goto dont_reorder_unlock;

	/* new, potentially un-ordered, ampdu frame - process it */

	/* if this mpdu is fragmented - terminate rx aggregation session */

	sc = le16_to_cpu(hdr->seq_ctrl);

	if (sc & IEEE80211_SCTL_FRAG) {

		spin_unlock(&sta->lock);

		__ieee80211_stop_rx_ba_session(sta, tid, WLAN_BACK_RECIPIENT,

					       WLAN_REASON_QSTA_REQUIRE_SETUP);

		dev_kfree_skb(skb);

		return;

	}

	if (ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, frames))

	if (ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, frames)) {

		spin_unlock(&sta->lock);

		return;

	}

 dont_reorder_unlock:

	spin_unlock(&sta->lock);

 dont_reorder:

	__skb_queue_tail(frames, skb);

}

	if (ieee80211_is_back_req(bar->frame_control)) {

		if (!rx->sta)

			return RX_DROP_MONITOR;

		spin_lock(&rx->sta->lock);

		tid = le16_to_cpu(bar->control) >> 12;

		if (!rx->sta->ampdu_mlme.tid_active_rx[tid])

		if (!rx->sta->ampdu_mlme.tid_active_rx[tid]) {

			spin_unlock(&rx->sta->lock);

			return RX_DROP_MONITOR;

		}

		tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid];

		start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4;

		ieee80211_release_reorder_frames(hw, tid_agg_rx, start_seq_num,

						 frames);

		kfree_skb(skb);

		spin_unlock(&rx->sta->lock);

		return RX_QUEUED;

	}