[PATCH 3.4] iwlwifi: fix a potential race in receive buffer allocation

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 3.4] iwlwifi: fix a potential race in receive buffer allocation
@ 2012-05-03 21:09 Wey-Yi Guy
  2012-05-08 14:05 ` Stanislaw Gruszka
  0 siblings, 1 reply; 5+ messages in thread
From: Wey-Yi Guy @ 2012-05-03 21:09 UTC (permalink / raw)
  To: linville; +Cc: linux-wireless, Meenakshi Venkataraman, stable, Wey-Yi Guy

From: Meenakshi Venkataraman <meenakshi.venkataraman@intel.com>

The driver can potentially unmap pages that
have not been mapped yet. Fix this race
condition.

Cc: stable@vger.kernel.org
Reported-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Meenakshi Venkataraman <meenakshi.venkataraman@intel.com>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
---
this patch will be also available from wireless branch on
 git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi.git

 drivers/net/wireless/iwlwifi/iwl-trans-pcie-rx.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/drivers/net/wireless/iwlwifi/iwl-trans-pcie-rx.c b/drivers/net/wireless/iwlwifi/iwl-trans-pcie-rx.c
index aa7aea1..173275f 100644
--- a/drivers/net/wireless/iwlwifi/iwl-trans-pcie-rx.c
+++ b/drivers/net/wireless/iwlwifi/iwl-trans-pcie-rx.c
@@ -310,7 +310,6 @@ static void iwlagn_rx_allocate(struct iwl_trans *trans, gfp_t priority)
 		spin_unlock_irqrestore(&rxq->lock, flags);
 
 		BUG_ON(rxb->page);
-		rxb->page = page;
 		/* Get physical address of the RB */
 		rxb->page_dma = dma_map_page(trans->dev, page, 0,
 				PAGE_SIZE << hw_params(trans).rx_page_order,
@@ -320,6 +319,9 @@ static void iwlagn_rx_allocate(struct iwl_trans *trans, gfp_t priority)
 		/* and also 256 byte aligned! */
 		BUG_ON(rxb->page_dma & DMA_BIT_MASK(8));
 
+		/* Page *must* be mapped before before updating the rxb. */
+		rxb->page = page;
+
 		spin_lock_irqsave(&rxq->lock, flags);
 
 		list_add_tail(&rxb->list, &rxq->rx_free);
-- 
1.7.0.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 3.4] iwlwifi: fix a potential race in receive buffer allocation
  2012-05-03 21:09 [PATCH 3.4] iwlwifi: fix a potential race in receive buffer allocation Wey-Yi Guy
@ 2012-05-08 14:05 ` Stanislaw Gruszka
  2012-05-08 17:00   ` Emmanuel Grumbach
  0 siblings, 1 reply; 5+ messages in thread
From: Stanislaw Gruszka @ 2012-05-08 14:05 UTC (permalink / raw)
  To: Wey-Yi Guy; +Cc: linville, linux-wireless, Meenakshi Venkataraman, stable

On Thu, May 03, 2012 at 02:09:24PM -0700, Wey-Yi Guy wrote:
> From: Meenakshi Venkataraman <meenakshi.venkataraman@intel.com>
> 
> The driver can potentially unmap pages that
> have not been mapped yet. Fix this race
> condition.
> 
> Cc: stable@vger.kernel.org
> Reported-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
> Signed-off-by: Meenakshi Venkataraman <meenakshi.venkataraman@intel.com>
> Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
> ---
> this patch will be also available from wireless branch on
>  git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi.git
> 
>  drivers/net/wireless/iwlwifi/iwl-trans-pcie-rx.c |    4 +++-
>  1 files changed, 3 insertions(+), 1 deletions(-)
> 
> diff --git a/drivers/net/wireless/iwlwifi/iwl-trans-pcie-rx.c b/drivers/net/wireless/iwlwifi/iwl-trans-pcie-rx.c
> index aa7aea1..173275f 100644
> --- a/drivers/net/wireless/iwlwifi/iwl-trans-pcie-rx.c
> +++ b/drivers/net/wireless/iwlwifi/iwl-trans-pcie-rx.c
> @@ -310,7 +310,6 @@ static void iwlagn_rx_allocate(struct iwl_trans *trans, gfp_t priority)
>  		spin_unlock_irqrestore(&rxq->lock, flags);
>  
>  		BUG_ON(rxb->page);
> -		rxb->page = page;
>  		/* Get physical address of the RB */
>  		rxb->page_dma = dma_map_page(trans->dev, page, 0,
>  				PAGE_SIZE << hw_params(trans).rx_page_order,
> @@ -320,6 +319,9 @@ static void iwlagn_rx_allocate(struct iwl_trans *trans, gfp_t priority)
>  		/* and also 256 byte aligned! */
>  		BUG_ON(rxb->page_dma & DMA_BIT_MASK(8));
>  
> +		/* Page *must* be mapped before before updating the rxb. */
> +		rxb->page = page;
> +
>  		spin_lock_irqsave(&rxq->lock, flags);
>  
>  		list_add_tail(&rxb->list, &rxq->rx_free);

This patch make no sense. Nothing stops compiler or CPU to write
->page into memory before ->page_dma .

Stanislaw

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 3.4] iwlwifi: fix a potential race in receive buffer allocation
  2012-05-08 14:05 ` Stanislaw Gruszka
@ 2012-05-08 17:00   ` Emmanuel Grumbach
  2012-05-08 18:34     ` Venkataraman, Meenakshi
  2012-05-09  7:53     ` Stanislaw Gruszka
  0 siblings, 2 replies; 5+ messages in thread
From: Emmanuel Grumbach @ 2012-05-08 17:00 UTC (permalink / raw)
  To: Stanislaw Gruszka
  Cc: Wey-Yi Guy, linville, linux-wireless, Meenakshi Venkataraman,
	stable

>
> This patch make no sense. Nothing stops compiler or CPU to write
> ->page into memory before ->page_dma .
>

I thought that too,but  the call to dma_map... is a call to functon.
Shouldn't force the compiler the make things in order. Or maybe the
assignment to rxb->page_dma can be reordered... I am not really sure.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: [PATCH 3.4] iwlwifi: fix a potential race in receive buffer allocation
  2012-05-08 17:00   ` Emmanuel Grumbach
@ 2012-05-08 18:34     ` Venkataraman, Meenakshi
  2012-05-09  7:53     ` Stanislaw Gruszka
  1 sibling, 0 replies; 5+ messages in thread
From: Venkataraman, Meenakshi @ 2012-05-08 18:34 UTC (permalink / raw)
  To: Emmanuel Grumbach, Stanislaw Gruszka
  Cc: Guy, Wey-Yi W, linville@tuxdriver.com,
	linux-wireless@vger.kernel.org, stable@vger.kernel.org

Hi guys,

>> This patch make no sense. Nothing stops compiler or CPU to write
>> ->page into memory before ->page_dma .
>>
>
>I thought that too,but  the call to dma_map... is a call to functon.
>Shouldn't force the compiler the make things in order. Or maybe the
>assignment to rxb->page_dma can be reordered... I am not really sure.

[MV] In that case I'll explicitly add barriers here and elsewhere...there is a race condition here and it needs to be resolved.

Thanks,
Meenakshi

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 3.4] iwlwifi: fix a potential race in receive buffer allocation
  2012-05-08 17:00   ` Emmanuel Grumbach
  2012-05-08 18:34     ` Venkataraman, Meenakshi
@ 2012-05-09  7:53     ` Stanislaw Gruszka
  1 sibling, 0 replies; 5+ messages in thread
From: Stanislaw Gruszka @ 2012-05-09  7:53 UTC (permalink / raw)
  To: Emmanuel Grumbach
  Cc: Wey-Yi Guy, linville, linux-wireless, Meenakshi Venkataraman,
	stable

On Tue, May 08, 2012 at 08:00:29PM +0300, Emmanuel Grumbach wrote:
> >
> > This patch make no sense. Nothing stops compiler or CPU to write
> > ->page into memory before ->page_dma .
> >
> 
> I thought that too,but  the call to dma_map... is a call to functon.
> Shouldn't force the compiler the make things in order. Or maybe the
> assignment to rxb->page_dma can be reordered... I am not really sure.

Calling a non lock/unlock function does not make any guarantees about
ordering.

Stanislaw

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2012-05-09  7:53 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-05-03 21:09 [PATCH 3.4] iwlwifi: fix a potential race in receive buffer allocation Wey-Yi Guy
2012-05-08 14:05 ` Stanislaw Gruszka
2012-05-08 17:00   ` Emmanuel Grumbach
2012-05-08 18:34     ` Venkataraman, Meenakshi
2012-05-09  7:53     ` Stanislaw Gruszka

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).