Hi!
There is a potential race condition in
drivers/net/wireless/ath/wcn36xx/wcn36xx.ko. In wcn36xx_tx ->
wcn36xx_start_tx -> wcn36xx_set_tx_data
(http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/txrx.c#L176)
there is a read of sta_priv->bss_dpu_desc_index and
sta_priv->bss_sta_index. In wcn36xx_bss_info_changed ->
wcn36xx_smd_config_bss -> wcn36xx_smd_config_bss_rsp
(http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/smd.c#L1204)
there is a write to the same fields. It seems that the handlers may be
called in parallel and inconsistent data may be obtained.
The same problem is with sta_priv->sta_index and
sta_priv->sta_dpu_desc_index:
http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/txrx.c#L181
http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/smd.c#L986
Is it a real bug? Is it enough to add mutex_lock to wcn36xx_set_tx_data?
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andrianov@xxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
