Maya Erez <qca_merez@xxxxxxxxxxxxxxxx> wrote: > There are 2 possible race conditions, both are solved by addition of > memory barrier: > 1. wil_tx_complete reads the swhead to determine if the vring is > empty. In case the swhead was updated before the descriptor update > was performed in __wil_tx_vring/__wil_tx_vring_tso, the completion > loop will not end and as the DU bit may still be set from a previous > run, this skb can be handled as completed before it was sent, which > will lead to double free of the same SKB. > 2. __wil_tx_vring/__wil_tx_vring_tso calculate the number of available > descriptors according to the swtail. In case the swtail is updated > before memset of ctx to zero is completed, we can handle this > descriptor while later on ctx is zeroed. > > Signed-off-by: Maya Erez <qca_merez@xxxxxxxxxxxxxxxx> Thanks, 6 patches applied to ath.git: eb26cff148f5 wil6210: fix race conditions between TX send and completion ab6d7cc3eab4 wil6210: guarantee safe access to rx descriptors shared memory 34b8886e502a wil6210: protect wil_vring_fini_tx in parallel to tx completions a1526f7eafa4 wil6210: fix dma mapping error cleanup in __wil_tx_vring_tso e34dc6475a7b wil6210: add pm_notify handling 8fe2a5f9f9b5 wil6210: align wil log functions to wil_dbg_ratelimited implementation -- Sent by pwcli https://patchwork.kernel.org/patch/9105441/ -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
