* [ldv-project] [net] wcn36xx: potential race condition
@ 2016-06-14 14:42 Pavel Andrianov
0 siblings, 0 replies; only message in thread
From: Pavel Andrianov @ 2016-06-14 14:42 UTC (permalink / raw)
To: Eugene Krasnikov
Cc: Kalle Valo, wcn36xx, linux-wireless, netdev, linux-kernel,
ldv-project, Vaishali Thakkar
Hi!
There is a potential race condition in
drivers/net/wireless/ath/wcn36xx/wcn36xx.ko. In wcn36xx_tx ->
wcn36xx_start_tx -> wcn36xx_set_tx_data
(http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/txrx.c#L176)
there is a read of sta_priv->bss_dpu_desc_index and
sta_priv->bss_sta_index. In wcn36xx_bss_info_changed ->
wcn36xx_smd_config_bss -> wcn36xx_smd_config_bss_rsp
(http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/smd.c#L1204)
there is a write to the same fields. It seems that the handlers may be
called in parallel and inconsistent data may be obtained.
The same problem is with sta_priv->sta_index and
sta_priv->sta_dpu_desc_index:
http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/txrx.c#L181
http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/smd.c#L986
Is it a real bug? Is it enough to add mutex_lock to wcn36xx_set_tx_data?
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andrianov@ispras.ru
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-06-14 15:46 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-14 14:42 [ldv-project] [net] wcn36xx: potential race condition Pavel Andrianov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).