diff options
author | Stanislaw Gruszka <sgruszka@redhat.com> | 2011-04-20 16:02:58 +0200 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2011-04-25 14:50:15 -0400 |
commit | 2624e96ce16bacae0e422d5775eac6d4fc33239a (patch) | |
tree | 7a1454ce758150d0e3fb83cff87cb0f184b8b42c /drivers | |
parent | 9f2e731d1d278d853def1567735d8a823668a3c8 (diff) |
iwlwifi: fix possible data overwrite in hcmd callback
My commit 3598e1774c94e55c71b585340e7dc4538f310e3f
"iwlwifi: fix enqueue hcmd race conditions" move hcmd callback after
command queue reclaim, to avoid call it with hcmd_lock. But since
queue read index was updated, cmd data can be overwritten. Fix problem
by calling callback before taking hcmd_lock and queue reclaim.
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/net/wireless/iwlwifi/iwl-tx.c | 15 |
1 files changed, 4 insertions, 11 deletions
diff --git a/drivers/net/wireless/iwlwifi/iwl-tx.c b/drivers/net/wireless/iwlwifi/iwl-tx.c index 80c3565a66a..52b1b66f32d 100644 --- a/drivers/net/wireless/iwlwifi/iwl-tx.c +++ b/drivers/net/wireless/iwlwifi/iwl-tx.c @@ -621,9 +621,6 @@ void iwl_tx_cmd_complete(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb) struct iwl_cmd_meta *meta; struct iwl_tx_queue *txq = &priv->txq[priv->cmd_queue]; unsigned long flags; - void (*callback) (struct iwl_priv *priv, struct iwl_device_cmd *cmd, - struct iwl_rx_packet *pkt); - /* If a Tx command is being handled and it isn't in the actual * command queue then there a command routing bug has been introduced @@ -637,8 +634,6 @@ void iwl_tx_cmd_complete(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb) return; } - spin_lock_irqsave(&priv->hcmd_lock, flags); - cmd_index = get_cmd_index(&txq->q, index, huge); cmd = txq->cmd[cmd_index]; meta = &txq->meta[cmd_index]; @@ -648,13 +643,14 @@ void iwl_tx_cmd_complete(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb) dma_unmap_len(meta, len), PCI_DMA_BIDIRECTIONAL); - callback = NULL; /* Input error checking is done when commands are added to queue. */ if (meta->flags & CMD_WANT_SKB) { meta->source->reply_page = (unsigned long)rxb_addr(rxb); rxb->page = NULL; - } else - callback = meta->callback; + } else if (meta->callback) + meta->callback(priv, cmd, pkt); + + spin_lock_irqsave(&priv->hcmd_lock, flags); iwl_hcmd_queue_reclaim(priv, txq_id, index, cmd_index); @@ -669,7 +665,4 @@ void iwl_tx_cmd_complete(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb) meta->flags = 0; spin_unlock_irqrestore(&priv->hcmd_lock, flags); - - if (callback) - callback(priv, cmd, pkt); } |