summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorStanislaw Gruszka <sgruszka@redhat.com>2011-04-20 16:02:58 +0200
committerJohn W. Linville <linville@tuxdriver.com>2011-04-25 20:50:15 +0200
commit2624e96ce16bacae0e422d5775eac6d4fc33239a (patch)
tree7a1454ce758150d0e3fb83cff87cb0f184b8b42c /drivers
parentssb: cc: add & fix defines (diff)
downloadlinux-2624e96ce16bacae0e422d5775eac6d4fc33239a.tar.xz
linux-2624e96ce16bacae0e422d5775eac6d4fc33239a.zip
iwlwifi: fix possible data overwrite in hcmd callback
My commit 3598e1774c94e55c71b585340e7dc4538f310e3f "iwlwifi: fix enqueue hcmd race conditions" move hcmd callback after command queue reclaim, to avoid call it with hcmd_lock. But since queue read index was updated, cmd data can be overwritten. Fix problem by calling callback before taking hcmd_lock and queue reclaim. Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Acked-by: Wey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/wireless/iwlwifi/iwl-tx.c15
1 files changed, 4 insertions, 11 deletions
diff --git a/drivers/net/wireless/iwlwifi/iwl-tx.c b/drivers/net/wireless/iwlwifi/iwl-tx.c
index 80c3565a66ae..52b1b66f32d0 100644
--- a/drivers/net/wireless/iwlwifi/iwl-tx.c
+++ b/drivers/net/wireless/iwlwifi/iwl-tx.c
@@ -621,9 +621,6 @@ void iwl_tx_cmd_complete(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb)
struct iwl_cmd_meta *meta;
struct iwl_tx_queue *txq = &priv->txq[priv->cmd_queue];
unsigned long flags;
- void (*callback) (struct iwl_priv *priv, struct iwl_device_cmd *cmd,
- struct iwl_rx_packet *pkt);
-
/* If a Tx command is being handled and it isn't in the actual
* command queue then there a command routing bug has been introduced
@@ -637,8 +634,6 @@ void iwl_tx_cmd_complete(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb)
return;
}
- spin_lock_irqsave(&priv->hcmd_lock, flags);
-
cmd_index = get_cmd_index(&txq->q, index, huge);
cmd = txq->cmd[cmd_index];
meta = &txq->meta[cmd_index];
@@ -648,13 +643,14 @@ void iwl_tx_cmd_complete(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb)
dma_unmap_len(meta, len),
PCI_DMA_BIDIRECTIONAL);
- callback = NULL;
/* Input error checking is done when commands are added to queue. */
if (meta->flags & CMD_WANT_SKB) {
meta->source->reply_page = (unsigned long)rxb_addr(rxb);
rxb->page = NULL;
- } else
- callback = meta->callback;
+ } else if (meta->callback)
+ meta->callback(priv, cmd, pkt);
+
+ spin_lock_irqsave(&priv->hcmd_lock, flags);
iwl_hcmd_queue_reclaim(priv, txq_id, index, cmd_index);
@@ -669,7 +665,4 @@ void iwl_tx_cmd_complete(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb)
meta->flags = 0;
spin_unlock_irqrestore(&priv->hcmd_lock, flags);
-
- if (callback)
- callback(priv, cmd, pkt);
}