There is a potential race condition between skb_queue_len()
and skb_queue_tail(), the former may get old value before
updated by the latter.
So use skb_queue_len_lockless() instead. And also use '>=',
in case we queue a few SKBs simultaneously.
Found while discussing a similar fix for ath10k:
https://patchwork.kernel.org/project/linux-wireless/patch/[email protected]/
No functional changes, compile tested only.
Signed-off-by: Miaoqing Pan <[email protected]>
---
drivers/net/wireless/ath/ath11k/mac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
index 335d49a..3c1f35a 100644
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -4211,7 +4211,7 @@ static int ath11k_mac_mgmt_tx(struct ath11k *ar, struct sk_buff *skb,
return -ENOSPC;
}
- if (skb_queue_len(q) == ATH11K_TX_MGMT_NUM_PENDING_MAX) {
+ if (skb_queue_len_lockless(q) >= ATH11K_TX_MGMT_NUM_PENDING_MAX) {
ath11k_warn(ar->ab, "mgmt tx queue is full\n");
return -ENOSPC;
}
--
2.7.4
Miaoqing Pan <[email protected]> wrote:
> There is a potential race condition between skb_queue_len()
> and skb_queue_tail(), the former may get old value before
> updated by the latter.
>
> So use skb_queue_len_lockless() instead. And also use '>=',
> in case we queue a few SKBs simultaneously.
>
> Found while discussing a similar fix for ath10k:
> https://patchwork.kernel.org/project/linux-wireless/patch/[email protected]/
>
> No functional changes, compile tested only.
>
> Signed-off-by: Miaoqing Pan <[email protected]>
> Signed-off-by: Kalle Valo <[email protected]>
Patch applied to ath-next branch of ath.git, thanks.
3808a18043a8 ath11k: fix potential wmi_mgmt_tx_queue race condition
--
https://patchwork.kernel.org/project/linux-wireless/patch/[email protected]/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches