[ldv-project] [net] libertas: potential race condition

Pavel Andrianov andrianov at ispras.ru
Tue Jun 14 06:16:11 PDT 2016

08.06.2016 02:51, James Cameron пишет:
> On Tue, Jun 07, 2016 at 09:39:55AM -0500, Dan Williams wrote:
>> On Tue, 2016-06-07 at 13:30 +0400, Pavel Andrianov wrote:
>>> Hi!
>>> There is a potential race condition in
>>> drivers/net/wireless/libertas/libertas.ko.
>>> In the function lbs_hard_start_xmit(..), line 159, a socket buffer
>>> is
>>> written to priv->current_skb with a spin_lock protection.
>>> In the function lbs_mac_event_disconnected(..), lines 50-51, the
>>> field
>>> current_skb is cleaned. There is no protection used. The
>>> corresponding
>>> handlers are activated at the same time in lbs_start_card(..) and
>>> then
>>> may be executed simultaneously. Note, there are two structures
>>> lbs_netdev_ops and mesh_netdev_ops, which have the target handler
>>> lbs_hard_start_xmit.
>>> Is it a real race or I have missed something?
>> Yeah, it looks like it should be grabbing priv->driver_lock before
>> clearing priv->currenttxskb in lbs_mac_event_disconnected().  Care to
>> submit a patch after testing?  Do you have any of that hardware?
> I've hardware, with serial console.
> Can test any patch, on USB (8388) or SDIO (8686).

I've prepare the patch for this issue. Could you test it?

Thank you.

Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andrianov at ispras.ru

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-libertas-Add-spinlock-to-avoid-race-condition.patch
Type: text/x-patch
Size: 1329 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/libertas-dev/attachments/20160614/c8edd103/attachment.bin>

More information about the libertas-dev mailing list