* [ldv-project] [net] wcn36xx: potential race condition
@ 2016-06-14 14:42 Pavel Andrianov
0 siblings, 0 replies; only message in thread
From: Pavel Andrianov @ 2016-06-14 14:42 UTC (permalink / raw)
To: Eugene Krasnikov
Cc: Kalle Valo, wcn36xx, linux-wireless, netdev, linux-kernel,
ldv-project, Vaishali Thakkar
Hi!
There is a potential race condition in
drivers/net/wireless/ath/wcn36xx/wcn36xx.ko. In wcn36xx_tx ->
wcn36xx_start_tx -> wcn36xx_set_tx_data
(http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/txrx.c#L176)
there is a read of sta_priv->bss_dpu_desc_index and
sta_priv->bss_sta_index. In wcn36xx_bss_info_changed ->
wcn36xx_smd_config_bss -> wcn36xx_smd_config_bss_rsp
(http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/smd.c#L1204)
there is a write to the same fields. It seems that the handlers may be
called in parallel and inconsistent data may be obtained.
The same problem is with sta_priv->sta_index and
sta_priv->sta_dpu_desc_index:
http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/txrx.c#L181
http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/smd.c#L986
Is it a real bug? Is it enough to add mutex_lock to wcn36xx_set_tx_data?
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andrianov@ispras.ru
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-06-14 15:46 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-06-14 14:42 [ldv-project] [net] wcn36xx: potential race condition Pavel Andrianov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.