From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ping-Ke Shih <pkshih@realtek.com>,
Sasha Levin <sashal@kernel.org>,
kvalo@kernel.org, linux-wireless@vger.kernel.org
Subject: [PATCH AUTOSEL 6.10 09/27] wifi: rtw89: pci: fix RX tag race condition resulting in wrong RX length
Date: Sat, 27 Jul 2024 20:52:52 -0400 [thread overview]
Message-ID: <20240728005329.1723272-9-sashal@kernel.org> (raw)
In-Reply-To: <20240728005329.1723272-1-sashal@kernel.org>
From: Ping-Ke Shih <pkshih@realtek.com>
[ Upstream commit 94298477f81a1701fc4e1b5a0ce9672acab5dcb2 ]
Read 32 bits RX info to a local variable to fix race condition between
reading RX length and RX tag.
Another solution is to get RX tag at first statement, but adopted solution
can save some memory read, and also save 15 bytes binary code.
RX tag, a sequence number, is used to ensure that RX data has been DMA to
memory completely, so driver must check sequence number is expected before
reading other data.
This potential problem happens only after enabling 36-bit DMA.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://msgid.link/20240611021901.26394-2-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw89/pci.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c
index 03bbcf9b6737c..1ba812fae12f0 100644
--- a/drivers/net/wireless/realtek/rtw89/pci.c
+++ b/drivers/net/wireless/realtek/rtw89/pci.c
@@ -183,14 +183,17 @@ static void rtw89_pci_sync_skb_for_device(struct rtw89_dev *rtwdev,
static void rtw89_pci_rxbd_info_update(struct rtw89_dev *rtwdev,
struct sk_buff *skb)
{
- struct rtw89_pci_rxbd_info *rxbd_info;
struct rtw89_pci_rx_info *rx_info = RTW89_PCI_RX_SKB_CB(skb);
+ struct rtw89_pci_rxbd_info *rxbd_info;
+ __le32 info;
rxbd_info = (struct rtw89_pci_rxbd_info *)skb->data;
- rx_info->fs = le32_get_bits(rxbd_info->dword, RTW89_PCI_RXBD_FS);
- rx_info->ls = le32_get_bits(rxbd_info->dword, RTW89_PCI_RXBD_LS);
- rx_info->len = le32_get_bits(rxbd_info->dword, RTW89_PCI_RXBD_WRITE_SIZE);
- rx_info->tag = le32_get_bits(rxbd_info->dword, RTW89_PCI_RXBD_TAG);
+ info = rxbd_info->dword;
+
+ rx_info->fs = le32_get_bits(info, RTW89_PCI_RXBD_FS);
+ rx_info->ls = le32_get_bits(info, RTW89_PCI_RXBD_LS);
+ rx_info->len = le32_get_bits(info, RTW89_PCI_RXBD_WRITE_SIZE);
+ rx_info->tag = le32_get_bits(info, RTW89_PCI_RXBD_TAG);
}
static int rtw89_pci_validate_rx_tag(struct rtw89_dev *rtwdev,
--
2.43.0
next prev parent reply other threads:[~2024-07-28 0:53 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-28 0:52 [PATCH AUTOSEL 6.10 01/27] wifi: nl80211: disallow setting special AP channel widths Sasha Levin
2024-07-28 0:52 ` [PATCH AUTOSEL 6.10 02/27] wifi: ath12k: fix race due to setting ATH12K_FLAG_EXT_IRQ_ENABLED too early Sasha Levin
2024-07-28 0:52 ` [PATCH AUTOSEL 6.10 03/27] r8169: remove detection of chip version 11 (early RTL8168b) Sasha Levin
2024-07-29 8:45 ` Heiner Kallweit
2024-08-10 9:12 ` Sasha Levin
2024-08-11 14:32 ` Heiner Kallweit
2024-08-11 21:16 ` Sasha Levin
2025-02-23 0:57 ` Michael Pflüger
2025-02-23 9:43 ` Heiner Kallweit
2024-07-28 0:52 ` [PATCH AUTOSEL 6.10 04/27] wifi: rtlwifi: handle return value of usb init TX/RX Sasha Levin
2024-07-28 0:52 ` [PATCH AUTOSEL 6.10 05/27] wifi: ath12k: fix memory leak in ath12k_dp_rx_peer_frag_setup() Sasha Levin
2024-07-28 0:52 ` [PATCH AUTOSEL 6.10 06/27] net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink Sasha Levin
2024-07-28 0:52 ` [PATCH AUTOSEL 6.10 07/27] selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT Sasha Levin
2024-07-28 0:52 ` [PATCH AUTOSEL 6.10 08/27] rtnetlink: move rtnl_lock handling out of af_netlink Sasha Levin
2024-07-29 15:01 ` Jakub Kicinski
2024-07-28 0:52 ` Sasha Levin [this message]
2024-07-28 0:52 ` [PATCH AUTOSEL 6.10 10/27] net: Reference bpf_redirect_info via task_struct on PREEMPT_RT Sasha Levin
2024-07-29 15:00 ` Jakub Kicinski
2024-08-10 9:12 ` Sasha Levin
2024-07-28 0:52 ` [PATCH AUTOSEL 6.10 11/27] af_unix: Don't retry after unix_state_lock_nested() in unix_stream_connect() Sasha Levin
2024-07-28 0:52 ` [PATCH AUTOSEL 6.10 12/27] PCI: Add Edimax Vendor ID to pci_ids.h Sasha Levin
2024-07-28 0:52 ` [PATCH AUTOSEL 6.10 13/27] wifi: mac80211: fix NULL dereference at band check in starting tx ba session Sasha Levin
2024-07-28 0:52 ` [PATCH AUTOSEL 6.10 14/27] udf: prevent integer overflow in udf_bitmap_free_blocks() Sasha Levin
2024-07-28 0:52 ` [PATCH AUTOSEL 6.10 15/27] bpf: add missing check_func_arg_reg_off() to prevent out-of-bounds memory accesses Sasha Levin
2024-07-28 0:52 ` [PATCH AUTOSEL 6.10 16/27] wifi: nl80211: don't give key data to userspace Sasha Levin
2024-07-28 0:53 ` [PATCH AUTOSEL 6.10 17/27] can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum Sasha Levin
2024-07-28 0:53 ` [PATCH AUTOSEL 6.10 18/27] can: mcp251xfd: tef: update workaround for erratum DS80000789E 6 of mcp2518fd Sasha Levin
2024-07-28 0:53 ` [PATCH AUTOSEL 6.10 19/27] net: stmmac: qcom-ethqos: enable SGMII loopback during DMA reset on sa8775p-ride-r3 Sasha Levin
2024-07-28 0:53 ` [PATCH AUTOSEL 6.10 20/27] mlxsw: pci: Lock configuration space of upstream bridge during reset Sasha Levin
2024-07-28 0:53 ` [PATCH AUTOSEL 6.10 21/27] btrfs: do not clear page dirty inside extent_write_locked_range() Sasha Levin
2024-07-28 0:53 ` [PATCH AUTOSEL 6.10 22/27] btrfs: do not BUG_ON() when freeing tree block after error Sasha Levin
2024-07-28 0:53 ` [PATCH AUTOSEL 6.10 23/27] btrfs: reduce nesting for extent processing at btrfs_lookup_extent_info() Sasha Levin
2024-07-28 0:53 ` [PATCH AUTOSEL 6.10 24/27] btrfs: fix data race when accessing the last_trans field of a root Sasha Levin
2024-07-28 0:53 ` [PATCH AUTOSEL 6.10 25/27] btrfs: fix bitmap leak when loading free space cache on duplicate entry Sasha Levin
2024-07-28 0:53 ` [PATCH AUTOSEL 6.10 26/27] Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading Sasha Levin
2024-07-28 0:53 ` [PATCH AUTOSEL 6.10 27/27] Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240728005329.1723272-9-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=pkshih@realtek.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox