From: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com>
To: parthiban.veerasooran@microchip.com, netdev@vger.kernel.org
Cc: andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, linux-kernel@vger.kernel.org,
Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com>
Subject: [PATCH net-next] net: ethernet: oa_tc6: fix race condition on ongoing_tx_skb
Date: Thu, 19 Dec 2024 12:29:26 +0530 [thread overview]
Message-ID: <20241219065926.1051732-1-dheeraj.linuxdev@gmail.com> (raw)
A race condition exists in function oa_tc6_prepare_spi_tx_buf_for_tx_skbs
due to an unsynchronized access to shared variable tc6->ongoing_tx_skb.
The issue arises because the condition (!tc6->ongoing_tx_skb) is checked
outside the critical section. Two or more threads can simultaneously
evaluate this condition as true before acquiring the lock. This results
in both threads entering the critical section and modifying
tc6->ongoing_tx_skb, causing inconsistent state updates or overwriting
each other's changes.
Consider the following scenario. A race window exists in the sequence:
Thread1 Thread2
------------------------ ------------------------
- if ongoing_tx_skb is NULL
- if ongoing_tx_skb is NULL
- spin_lock_bh()
- ongoing_tx_skb = waiting_tx_skb
- waiting_tx_skb = NULL
- spin_unlock_bh()
- spin_lock_bh()
- ongoing_tx_skb = waiting_tx_skb
- waiting_tx_skb = NULL
- spin_unlock_bh()
This leads to lost updates between ongoing_tx_skb and waiting_tx_skb
fields. Moving the NULL check inside the critical section ensures both
the NULL check and the assignment are protected by the same lock,
maintaining atomic check-and-set operations.
Fixes: e592b5110b3e ("net: ethernet: oa_tc6: fix tx skb race condition between reference pointers")
Closes: https://scan7.scan.coverity.com/#/project-view/52337/11354?selectedIssue=1602611
Signed-off-by: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com>
---
drivers/net/ethernet/oa_tc6.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/oa_tc6.c b/drivers/net/ethernet/oa_tc6.c
index db200e4ec284..66d55ec9bc88 100644
--- a/drivers/net/ethernet/oa_tc6.c
+++ b/drivers/net/ethernet/oa_tc6.c
@@ -1004,12 +1004,12 @@ static u16 oa_tc6_prepare_spi_tx_buf_for_tx_skbs(struct oa_tc6 *tc6)
*/
for (used_tx_credits = 0; used_tx_credits < tc6->tx_credits;
used_tx_credits++) {
+ spin_lock_bh(&tc6->tx_skb_lock);
if (!tc6->ongoing_tx_skb) {
- spin_lock_bh(&tc6->tx_skb_lock);
tc6->ongoing_tx_skb = tc6->waiting_tx_skb;
tc6->waiting_tx_skb = NULL;
- spin_unlock_bh(&tc6->tx_skb_lock);
}
+ spin_unlock_bh(&tc6->tx_skb_lock);
if (!tc6->ongoing_tx_skb)
break;
oa_tc6_add_tx_skb_to_spi_buf(tc6);
--
2.34.1
next reply other threads:[~2024-12-19 6:59 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-19 6:59 Dheeraj Reddy Jonnalagadda [this message]
2024-12-19 12:06 ` [PATCH net-next] net: ethernet: oa_tc6: fix race condition on ongoing_tx_skb Parthiban.Veerasooran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241219065926.1051732-1-dheeraj.linuxdev@gmail.com \
--to=dheeraj.linuxdev@gmail.com \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=parthiban.veerasooran@microchip.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).