ath11k: fix potential wmi_mgmt_tx_queue race condition

There is a potential race condition between skb_queue_len() and skb_queue_tail(), the former may get old value before updated by the latter. So use skb_queue_len_lockless() instead. And also use '>=', in case we queue a few SKBs simultaneously. Found while discussing a similar fix for ath10k: https://patchwork.kernel.org/project/linux-wireless/patch/1608515579-1066-1-git-send-email-miaoqing@codeaurora.org/ No functional changes, compile tested only. Signed-off-by: N Miaoqing Pan <miaoqing@codeaurora.org> Signed-off-by: N Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1613630709-704-1-git-send-email-miaoqing@codeaurora.org

ath11k: fix potential wmi_mgmt_tx_queue race condition
There is a potential race condition between skb_queue_len() and skb_queue_tail(), the former may get old value before updated by the latter. So use skb_queue_len_lockless() instead. And also use '>=', in case we queue a few SKBs simultaneously. Found while discussing a similar fix for ath10k: https://patchwork.kernel.org/project/linux-wireless/patch/1608515579-1066-1-git-send-email-miaoqing@codeaurora.org/ No functional changes, compile tested only. Signed-off-by: N Miaoqing Pan <miaoqing@codeaurora.org> Signed-off-by: N Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1613630709-704-1-git-send-email-miaoqing@codeaurora.org
3808a180 · Miaoqing Pan · Kalle Valo · 097e9f07 · 3808a180
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

drivers/net/wireless/ath/ath11k/mac.c drivers/net/wireless/ath/ath11k/mac.c +1 -1

未找到文件。
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -4211,7 +4211,7 @@ static int ath11k_mac_mgmt_tx(struct ath11k *ar, struct sk_buff *skb,
 		return -ENOSPC;
 	}
-	if (skb_queue_len(q) == ATH11K_TX_MGMT_NUM_PENDING_MAX) {
+	if (skb_queue_len_lockless(q) >= ATH11K_TX_MGMT_NUM_PENDING_MAX) {
 		ath11k_warn(ar->ab, "mgmt tx queue is full\n");
 		return -ENOSPC;
 	}