Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp18535131rwd; Tue, 27 Jun 2023 19:25:58 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5In5b6K35nqxadVPAftxIkJzXFCH6BjA5q4RtAMpK6CRT+O0lN3RqX+c2SvVnNpL8P1zJH X-Received: by 2002:a05:6a00:2405:b0:641:d9b:a444 with SMTP id z5-20020a056a00240500b006410d9ba444mr33100180pfh.31.1687919157954; Tue, 27 Jun 2023 19:25:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687919157; cv=none; d=google.com; s=arc-20160816; b=lbtAtHuYoY2VN5ezVSoHz0iF2uTOURzMqnMZWoWRlej5nUE+XwA8aHgTOfLaSQeOgX bIQmDgDFEdGiZ9myK/Aquov710TV70JbYawqsW2dsp7cfcpy/iPBrBmZolt4sLmpHmCR ocN7LpqkbEsh7v2UQqW1eJzM4z1G4LjfXBoct499eMc3+0jqVMO2k13fVXEuVko3Rh9i uAeKcP8rQMVi8Nd6gcF981rZpBLr9i9LSLDQ0C3dGKWAQQqm+23fpj/7iJg9exp18D4w HodRfXxjOww2bzGnFNw7Kul9oLWI6w2yZM4Hy3/szm0PVn3j2IzAjaL82Kfx4nKehHEJ ZPdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=h6pki8IEhRMBJIPFkBySip5mXparEvV54SUuzJnRAiY=; fh=/cB9cBLxXEHFfWXg0pz3uVMNAbArha+fOgINyePgWl4=; b=bswLVaBEKLAj6B7SzI6y1l+fk20aNHq1I7B9wuwia+7k9cpmHojDVClvUW/CBxNb2W F8QA+/7Bx9pCrl+YGRvdEuyGbB5tSxvY8waz++puUDi1Rb/PzUw3yerr7uwngFWaCzSm YkkGkXhXDKvqSShXe45iZVf7KzKtlSfWdQRsbnTbsKvdNcoPlxZ/yKjuUqNWoFB0LwUb GDEcFjKGEMYcEj2MWECUoH1YRQVFSg6Z04pgtEbeKT7AIs2lYTMcTN1uMHBuU2DsxI7W Q8glZkSlKIY3LdJfgKW0oo7ECMIE9x0IGnIlNskDDwgNaJb/xumahnxOWkWp+QvQ3Lio ZWwg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=DIuY3Lea; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t19-20020a63dd13000000b005572b563e65si8327121pgg.305.2023.06.27.19.25.50; Tue, 27 Jun 2023 19:25:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=DIuY3Lea; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231436AbjF1CWR (ORCPT + 58 others); Tue, 27 Jun 2023 22:22:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35186 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230315AbjF1CV7 (ORCPT ); Tue, 27 Jun 2023 22:21:59 -0400 Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 71E411FC1; Tue, 27 Jun 2023 19:21:47 -0700 (PDT) Received: by mail-pl1-x631.google.com with SMTP id d9443c01a7336-1b51488ad67so28962145ad.3; Tue, 27 Jun 2023 19:21:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687918907; x=1690510907; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=h6pki8IEhRMBJIPFkBySip5mXparEvV54SUuzJnRAiY=; b=DIuY3LeaXqAs0U5LXmV819WFNCPWVfpcBqzfshj256tQN1iF1vPKiVqskOC/sjPAXZ aNyN0D4YaSM27j7WK96wpJqaq07OjglkeVKSHbPdk/iItS4drvRdGfNSx1q8EqbqY3az CWVUH9psLGTdvmPdAO5yXBUtMEYGdRP+acPSBa7aN4eWbq53z9+ZLKr96V3+QhD+1Om2 VrTYqWrNDAQnvg8Ppn7OoSNQnHlQzBsmbKxzAd7h8Pcjm8uMGnDRzjni2gie4DD66l7d jP4qfs8e0HTYJX4xFPL2e7SpS9zsfTorLdGKYJYm96kKS/CD7X5QUTll+VlVRvpbPyGw MxcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687918907; x=1690510907; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=h6pki8IEhRMBJIPFkBySip5mXparEvV54SUuzJnRAiY=; b=CSRfonkmUP7GcCeHYuRAEeXaNw5PljV96jhE03cXpz3pfaJZXgntieO79TkllCAlkU P0fo06UAFmxuOOG0KdJTqGritrEHOwHTajE2WP0JYgB2IbBNt7iWLbRsmt41Iga+lIVc AC64owU/hPnPvrwkTZnpGvnMX4yZoQZCy7gfysAyfQlJglRRAdSM7e8dmtxVsskwDQgD XvsOZ6w9nvTj/xK0zZ9qz8zZH7KruEq7D9wCWHcJl7YTHhn2ecB0TjvY0SIKhbfKv+w0 PWfONLhKLqN2XviE2KQuULBJC6wNlDDz+T0AnTEHmy/GT1HZdvJnDCNHd8E6n3NdHhjG TnyQ== X-Gm-Message-State: AC+VfDzQi8taEz8K/Z+QSOnXVgsSd2cgyblhQDD0Y/Ec/vTqO4AE9ioW kBpOQmrm0aur+2LO2D6hnN4= X-Received: by 2002:a17:902:7402:b0:1b3:9d13:34b3 with SMTP id g2-20020a170902740200b001b39d1334b3mr9116715pll.37.1687918906781; Tue, 27 Jun 2023 19:21:46 -0700 (PDT) Received: from oslab-pc.tsinghua.edu.cn ([166.111.139.122]) by smtp.gmail.com with ESMTPSA id n2-20020a170902968200b001b7cbc5871csm1822165plp.53.2023.06.27.19.21.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Jun 2023 19:21:46 -0700 (PDT) From: Tuo Li To: srini.raju@purelifi.com, kvalo@kernel.org Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, baijiaju1990@outlook.com, Tuo Li , BassCheck Subject: [PATCH] wifi: plfxlc: Fix possible data races in rx_urb_complete() Date: Wed, 28 Jun 2023 10:21:21 +0800 Message-Id: <20230628022121.1010517-1-islituo@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org The variable tx->submitted_urbs is often protected by the lock tx->lock when is accessed. Here is an example in plfxlc_usb_disable_tx(): spin_lock_irqsave(&tx->lock, flags); WARN_ON(!skb_queue_empty(&tx->submitted_skbs)); WARN_ON(tx->submitted_urbs != 0); tx->submitted_urbs = 0; spin_unlock_irqrestore(&tx->lock, flags); However, it is accessed without holding the lock tx->lock in rx_urb_complete(): if (tx->submitted_urbs++ < PURELIFI_URB_RETRY_MAX) --> Line 108 tx->submitted_urbs++ --> Line 110 tx->submitted_urbs = 0 --> Line 114 And thus data races can occur. To fix these possible data races, a lock and unlock pair is added when accessing the variable tx->submitted_urbs in rx_urb_complete(). Reported-by: BassCheck Signed-off-by: Tuo Li --- drivers/net/wireless/purelifi/plfxlc/usb.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/wireless/purelifi/plfxlc/usb.c b/drivers/net/wireless/purelifi/plfxlc/usb.c index 76d0a778636a..44152a615c0e 100644 --- a/drivers/net/wireless/purelifi/plfxlc/usb.c +++ b/drivers/net/wireless/purelifi/plfxlc/usb.c @@ -69,6 +69,7 @@ static void handle_rx_packet(struct plfxlc_usb *usb, const u8 *buffer, static void rx_urb_complete(struct urb *urb) { struct plfxlc_usb_tx *tx; + unsigned long flags; struct plfxlc_usb *usb; unsigned int length; const u8 *buffer; @@ -105,13 +106,16 @@ static void rx_urb_complete(struct urb *urb) return; default: dev_dbg(plfxlc_urb_dev(urb), "urb %p error %d\n", urb, urb->status); + spin_lock_irqsave(&tx->lock, flags); if (tx->submitted_urbs++ < PURELIFI_URB_RETRY_MAX) { dev_dbg(plfxlc_urb_dev(urb), "urb %p resubmit %d", urb, tx->submitted_urbs++); + spin_unlock_irqrestore(&tx->lock, flags); goto resubmit; } else { dev_dbg(plfxlc_urb_dev(urb), "urb %p max resubmits reached", urb); tx->submitted_urbs = 0; + spin_unlock_irqrestore(&tx->lock, flags); return; } } -- 2.34.1