niansa-misc/linux
1
0
Fork 0
mirror of synced 2025-03-06 20:59:54 +01:00
Code Issues Projects Releases Packages Wiki Activity

iwlwifi: fix possible data overwrite in hcmd callback

Browse source 
My commit 3598e1774c
"iwlwifi: fix enqueue hcmd race conditions" move hcmd callback after
command queue reclaim, to avoid call it with hcmd_lock. But since
queue read index was updated, cmd data can be overwritten. Fix problem
by calling callback before taking hcmd_lock and queue reclaim.

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
Stanislaw Gruszka 2011-04-20 16:02:58 +02:00 committed by John W. Linville
parent 9f2e731d1d
commit 2624e96ce1
1 changed files with 4 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
drivers/net/wireless/iwlwifi/iwl-tx.c
View file

@ -621,9 +621,6 @@ void iwl_tx_cmd_complete(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb)
struct iwl_cmd_meta *meta; struct iwl_cmd_meta *meta;
struct iwl_tx_queue *txq = &priv->txq[priv->cmd_queue]; struct iwl_tx_queue *txq = &priv->txq[priv->cmd_queue];
unsigned long flags; unsigned long flags;
void (*callback) (struct iwl_priv *priv, struct iwl_device_cmd *cmd,
struct iwl_rx_packet *pkt);
/* If a Tx command is being handled and it isn't in the actual /* If a Tx command is being handled and it isn't in the actual
* command queue then there a command routing bug has been introduced * command queue then there a command routing bug has been introduced
@ -637,8 +634,6 @@ void iwl_tx_cmd_complete(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb)
return; return;
} }
spin_lock_irqsave(&priv->hcmd_lock, flags);
cmd_index = get_cmd_index(&txq->q, index, huge); cmd_index = get_cmd_index(&txq->q, index, huge);
cmd = txq->cmd[cmd_index]; cmd = txq->cmd[cmd_index];
meta = &txq->meta[cmd_index]; meta = &txq->meta[cmd_index];
@ -648,13 +643,14 @@ void iwl_tx_cmd_complete(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb)
dma_unmap_len(meta, len), dma_unmap_len(meta, len),
PCI_DMA_BIDIRECTIONAL); PCI_DMA_BIDIRECTIONAL);
callback = NULL;
/* Input error checking is done when commands are added to queue. */ /* Input error checking is done when commands are added to queue. */
if (meta->flags & CMD_WANT_SKB) { if (meta->flags & CMD_WANT_SKB) {
meta->source->reply_page = (unsigned long)rxb_addr(rxb); meta->source->reply_page = (unsigned long)rxb_addr(rxb);
rxb->page = NULL; rxb->page = NULL;
} else } else if (meta->callback)
callback = meta->callback; meta->callback(priv, cmd, pkt);
spin_lock_irqsave(&priv->hcmd_lock, flags);
iwl_hcmd_queue_reclaim(priv, txq_id, index, cmd_index); iwl_hcmd_queue_reclaim(priv, txq_id, index, cmd_index);
@ -669,7 +665,4 @@ void iwl_tx_cmd_complete(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb)
meta->flags = 0; meta->flags = 0;
spin_unlock_irqrestore(&priv->hcmd_lock, flags); spin_unlock_irqrestore(&priv->hcmd_lock, flags);
if (callback)
callback(priv, cmd, pkt);
} }