From: Stanislaw Gruszka <sgruszka@redhat.com>
To: "Guy, Wey-Yi" <wey-yi.w.guy@intel.com>
Cc: Intel Linux Wireless <ilw@linux.intel.com>,
"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Subject: Re: [PATCH] iwlwifi: fix possible data overwrite in hcmd callback
Date: Thu, 21 Apr 2011 09:17:50 +0200 [thread overview]
Message-ID: <20110421071749.GA2203@redhat.com> (raw)
In-Reply-To: <1303308348.14995.149.camel@wwguy-huron>
Hello
On Wed, Apr 20, 2011 at 07:05:48AM -0700, Guy, Wey-Yi wrote:
> > - spin_lock_irqsave(&priv->hcmd_lock, flags);
> > -
> > cmd_index = get_cmd_index(&txq->q, index, huge);
> > cmd = txq->cmd[cmd_index];
> > meta = &txq->meta[cmd_index];
> > @@ -634,13 +629,14 @@ void iwl_tx_cmd_complete(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb)
> > dma_unmap_len(meta, len),
> > PCI_DMA_BIDIRECTIONAL);
> >
> > - callback = NULL;
> > /* Input error checking is done when commands are added to queue. */
> > if (meta->flags & CMD_WANT_SKB) {
> > meta->source->reply_page = (unsigned long)rxb_addr(rxb);
> > rxb->page = NULL;
> > - } else
> > - callback = meta->callback;
> > + } else if (meta->callback)
> > + meta->callback(priv, cmd, pkt);
> > +
> > + spin_lock_irqsave(&priv->hcmd_lock, flags);
> >
> > iwl_hcmd_queue_reclaim(priv, txq_id, index, cmd_index);
> >
> > @@ -655,7 +651,4 @@ void iwl_tx_cmd_complete(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb)
> > meta->flags = 0;
> >
> > spin_unlock_irqrestore(&priv->hcmd_lock, flags);
> > -
> > - if (callback)
> > - callback(priv, cmd, pkt);
> > }
>
> Could you elaborate a bit more, why you do not need to protect getting
> the cmd index.
get_cmd_index() is simple mathematical function of index local variable
(provided by firmware) and globally canst q->n_window, not need to be
protected.
What need to be protected is iwl_hcdm_queue_reclaim() as is touch
q->read_ptr and meta->flags to make assure is synchronized across
different cpus, when new huge command come instantly.
Note circular queue management could be done lock-less, but need
trickery described in Documentation/circular-buffers.txt to synchronize
q->read_ptr and q->write_ptr properly. What is probably too complex to
be worth to consider instead of simply using a spin lock.
Stanislaw
next prev parent reply other threads:[~2011-04-21 7:18 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-20 14:02 [PATCH] iwlwifi: fix possible data overwrite in hcmd callback Stanislaw Gruszka
2011-04-20 14:05 ` Guy, Wey-Yi
2011-04-21 7:17 ` Stanislaw Gruszka [this message]
2011-04-21 14:13 ` wwguy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110421071749.GA2203@redhat.com \
--to=sgruszka@redhat.com \
--cc=ilw@linux.intel.com \
--cc=linux-wireless@vger.kernel.org \
--cc=wey-yi.w.guy@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.