[PATCH] ath9k: Fix possible data races in ath_set_channel()

[PATCH] ath9k: Fix possible data races in ath_set_channel()

[Jia-Ju Bai]

The functions ath9k_config() and ath_ani_calibrate() may be concurrently
executed.

A variable survey->filled is accessed with holding a spinlock
common->cc_lock, through:
ath_ani_calibrate()
    spin_lock_irqsave(&common->cc_lock, flags);
    ath_update_survey_stats()
        ath_update_survey_nf()
            survey->filled |= SURVEY_INFO_NOISE_DBM;

The identical variables sc->cur_survey->filled and 
sc->survey[pos].filled is accessed without holding this lock, through:
ath9k_config()
    ath_chanctx_set_channel()
        ath_set_channel()
            sc->cur_survey->filled &= ~SURVEY_INFO_IN_USE;
            sc->cur_survey->filled |= SURVEY_INFO_IN_USE;
            else if (!(sc->survey[pos].filled & SURVEY_INFO_IN_USE))
            ath_update_survey_nf
                survey->filled |= SURVEY_INFO_NOISE_DBM;

Thus, possible data races may occur.

To fix these data races, in ath_set_channel(), these variables are
accessed with holding the spinlock common->cc_lock.

These data races are found by the runtime testing of our tool DILP-2.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
 drivers/net/wireless/ath/ath9k/channel.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath9k/channel.c b/drivers/net/wireless/ath/ath9k/channel.c
index fd61ae4782b6..b16f7f65e9c6 100644
--- a/drivers/net/wireless/ath/ath9k/channel.c
+++ b/drivers/net/wireless/ath/ath9k/channel.c
@@ -54,6 +54,7 @@ static int ath_set_channel(struct ath_softc *sc)
 	 * Reset the survey data for the new channel, unless we're switching
 	 * back to the operating channel from an off-channel operation.
 	 */
+	spin_lock_irqsave(&common->cc_lock, flags);
 	if (!sc->cur_chan->offchannel && sc->cur_survey != &sc->survey[pos]) {
 		if (sc->cur_survey)
 			sc->cur_survey->filled &= ~SURVEY_INFO_IN_USE;
@@ -65,6 +66,7 @@ static int ath_set_channel(struct ath_softc *sc)
 	} else if (!(sc->survey[pos].filled & SURVEY_INFO_IN_USE)) {
 		memset(&sc->survey[pos], 0, sizeof(struct survey_info));
 	}
+	spin_unlock_irqrestore(&common->cc_lock, flags);
 
 	hchan = &sc->sc_ah->channels[pos];
 	r = ath_reset(sc, hchan);
@@ -75,8 +77,11 @@ static int ath_set_channel(struct ath_softc *sc)
 	 * channel is only available after the hardware reset. Copy it to
 	 * the survey stats now.
 	 */
-	if (old_pos >= 0)
+	if (old_pos >= 0) {
+		spin_lock_irqsave(&common->cc_lock, flags);
 		ath_update_survey_nf(sc, old_pos);
+		spin_unlock_irqrestore(&common->cc_lock, flags);
+	}
 
 	/* Enable radar pulse detection if on a DFS channel. Spectral
 	 * scanning and radar detection can not be used concurrently.
-- 
2.17.1

Re: [PATCH] ath9k: Fix possible data races in ath_set_channel()

[Kalle Valo]

Jia-Ju Bai <baijiaju1990@gmail.com> writes:

> The functions ath9k_config() and ath_ani_calibrate() may be concurrently
> executed.
>
> A variable survey->filled is accessed with holding a spinlock
> common->cc_lock, through:
> ath_ani_calibrate()
>     spin_lock_irqsave(&common->cc_lock, flags);
>     ath_update_survey_stats()
>         ath_update_survey_nf()
>             survey->filled |= SURVEY_INFO_NOISE_DBM;
>
> The identical variables sc->cur_survey->filled and 
> sc->survey[pos].filled is accessed without holding this lock, through:
> ath9k_config()
>     ath_chanctx_set_channel()
>         ath_set_channel()
>             sc->cur_survey->filled &= ~SURVEY_INFO_IN_USE;
>             sc->cur_survey->filled |= SURVEY_INFO_IN_USE;
>             else if (!(sc->survey[pos].filled & SURVEY_INFO_IN_USE))
>             ath_update_survey_nf
>                 survey->filled |= SURVEY_INFO_NOISE_DBM;
>
> Thus, possible data races may occur.
>
> To fix these data races, in ath_set_channel(), these variables are
> accessed with holding the spinlock common->cc_lock.
>
> These data races are found by the runtime testing of our tool DILP-2.
>
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>

I need a detailed review from somone familiar with ath9k before I can
consider applying this.

-- 
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Re: [PATCH] ath9k: Fix possible data races in ath_set_channel()

[Felix Fietkau]

On 2020-01-11 18:15, Jia-Ju Bai wrote:
> The functions ath9k_config() and ath_ani_calibrate() may be concurrently
> executed.
> 
> A variable survey->filled is accessed with holding a spinlock
> common->cc_lock, through:
> ath_ani_calibrate()
>     spin_lock_irqsave(&common->cc_lock, flags);
>     ath_update_survey_stats()
>         ath_update_survey_nf()
>             survey->filled |= SURVEY_INFO_NOISE_DBM;
> 
> The identical variables sc->cur_survey->filled and 
> sc->survey[pos].filled is accessed without holding this lock, through:
> ath9k_config()
>     ath_chanctx_set_channel()
>         ath_set_channel()
>             sc->cur_survey->filled &= ~SURVEY_INFO_IN_USE;
>             sc->cur_survey->filled |= SURVEY_INFO_IN_USE;
>             else if (!(sc->survey[pos].filled & SURVEY_INFO_IN_USE))
>             ath_update_survey_nf
>                 survey->filled |= SURVEY_INFO_NOISE_DBM;
> 
> Thus, possible data races may occur.
> 
> To fix these data races, in ath_set_channel(), these variables are
> accessed with holding the spinlock common->cc_lock.
> 
> These data races are found by the runtime testing of our tool DILP-2.
> 
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
I think a much better solution would be to stop common->ani.timer
earlier in ath_set_channel to prevent this race from occurring.

- Felix