2020-01-11 17:19:39

by Jia-Ju Bai

[permalink] [raw]
Subject: [PATCH] ath9k: Fix possible data races in ath_set_channel()

The functions ath9k_config() and ath_ani_calibrate() may be concurrently
executed.

A variable survey->filled is accessed with holding a spinlock
common->cc_lock, through:
ath_ani_calibrate()
spin_lock_irqsave(&common->cc_lock, flags);
ath_update_survey_stats()
ath_update_survey_nf()
survey->filled |= SURVEY_INFO_NOISE_DBM;

The identical variables sc->cur_survey->filled and
sc->survey[pos].filled is accessed without holding this lock, through:
ath9k_config()
ath_chanctx_set_channel()
ath_set_channel()
sc->cur_survey->filled &= ~SURVEY_INFO_IN_USE;
sc->cur_survey->filled |= SURVEY_INFO_IN_USE;
else if (!(sc->survey[pos].filled & SURVEY_INFO_IN_USE))
ath_update_survey_nf
survey->filled |= SURVEY_INFO_NOISE_DBM;

Thus, possible data races may occur.

To fix these data races, in ath_set_channel(), these variables are
accessed with holding the spinlock common->cc_lock.

These data races are found by the runtime testing of our tool DILP-2.

Signed-off-by: Jia-Ju Bai <[email protected]>
---
drivers/net/wireless/ath/ath9k/channel.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath9k/channel.c b/drivers/net/wireless/ath/ath9k/channel.c
index fd61ae4782b6..b16f7f65e9c6 100644
--- a/drivers/net/wireless/ath/ath9k/channel.c
+++ b/drivers/net/wireless/ath/ath9k/channel.c
@@ -54,6 +54,7 @@ static int ath_set_channel(struct ath_softc *sc)
* Reset the survey data for the new channel, unless we're switching
* back to the operating channel from an off-channel operation.
*/
+ spin_lock_irqsave(&common->cc_lock, flags);
if (!sc->cur_chan->offchannel && sc->cur_survey != &sc->survey[pos]) {
if (sc->cur_survey)
sc->cur_survey->filled &= ~SURVEY_INFO_IN_USE;
@@ -65,6 +66,7 @@ static int ath_set_channel(struct ath_softc *sc)
} else if (!(sc->survey[pos].filled & SURVEY_INFO_IN_USE)) {
memset(&sc->survey[pos], 0, sizeof(struct survey_info));
}
+ spin_unlock_irqrestore(&common->cc_lock, flags);

hchan = &sc->sc_ah->channels[pos];
r = ath_reset(sc, hchan);
@@ -75,8 +77,11 @@ static int ath_set_channel(struct ath_softc *sc)
* channel is only available after the hardware reset. Copy it to
* the survey stats now.
*/
- if (old_pos >= 0)
+ if (old_pos >= 0) {
+ spin_lock_irqsave(&common->cc_lock, flags);
ath_update_survey_nf(sc, old_pos);
+ spin_unlock_irqrestore(&common->cc_lock, flags);
+ }

/* Enable radar pulse detection if on a DFS channel. Spectral
* scanning and radar detection can not be used concurrently.
--
2.17.1


2020-01-13 07:18:06

by Kalle Valo

[permalink] [raw]
Subject: Re: [PATCH] ath9k: Fix possible data races in ath_set_channel()

Jia-Ju Bai <[email protected]> writes:

> The functions ath9k_config() and ath_ani_calibrate() may be concurrently
> executed.
>
> A variable survey->filled is accessed with holding a spinlock
> common->cc_lock, through:
> ath_ani_calibrate()
> spin_lock_irqsave(&common->cc_lock, flags);
> ath_update_survey_stats()
> ath_update_survey_nf()
> survey->filled |= SURVEY_INFO_NOISE_DBM;
>
> The identical variables sc->cur_survey->filled and
> sc->survey[pos].filled is accessed without holding this lock, through:
> ath9k_config()
> ath_chanctx_set_channel()
> ath_set_channel()
> sc->cur_survey->filled &= ~SURVEY_INFO_IN_USE;
> sc->cur_survey->filled |= SURVEY_INFO_IN_USE;
> else if (!(sc->survey[pos].filled & SURVEY_INFO_IN_USE))
> ath_update_survey_nf
> survey->filled |= SURVEY_INFO_NOISE_DBM;
>
> Thus, possible data races may occur.
>
> To fix these data races, in ath_set_channel(), these variables are
> accessed with holding the spinlock common->cc_lock.
>
> These data races are found by the runtime testing of our tool DILP-2.
>
> Signed-off-by: Jia-Ju Bai <[email protected]>

I need a detailed review from somone familiar with ath9k before I can
consider applying this.

--
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

2020-01-13 08:27:51

by Felix Fietkau

[permalink] [raw]
Subject: Re: [PATCH] ath9k: Fix possible data races in ath_set_channel()

On 2020-01-11 18:15, Jia-Ju Bai wrote:
> The functions ath9k_config() and ath_ani_calibrate() may be concurrently
> executed.
>
> A variable survey->filled is accessed with holding a spinlock
> common->cc_lock, through:
> ath_ani_calibrate()
> spin_lock_irqsave(&common->cc_lock, flags);
> ath_update_survey_stats()
> ath_update_survey_nf()
> survey->filled |= SURVEY_INFO_NOISE_DBM;
>
> The identical variables sc->cur_survey->filled and
> sc->survey[pos].filled is accessed without holding this lock, through:
> ath9k_config()
> ath_chanctx_set_channel()
> ath_set_channel()
> sc->cur_survey->filled &= ~SURVEY_INFO_IN_USE;
> sc->cur_survey->filled |= SURVEY_INFO_IN_USE;
> else if (!(sc->survey[pos].filled & SURVEY_INFO_IN_USE))
> ath_update_survey_nf
> survey->filled |= SURVEY_INFO_NOISE_DBM;
>
> Thus, possible data races may occur.
>
> To fix these data races, in ath_set_channel(), these variables are
> accessed with holding the spinlock common->cc_lock.
>
> These data races are found by the runtime testing of our tool DILP-2.
>
> Signed-off-by: Jia-Ju Bai <[email protected]>
I think a much better solution would be to stop common->ani.timer
earlier in ath_set_channel to prevent this race from occurring.

- Felix