On 2020-01-11 18:15, Jia-Ju Bai wrote: > The functions ath9k_config() and ath_ani_calibrate() may be concurrently > executed. > > A variable survey->filled is accessed with holding a spinlock > common->cc_lock, through: > ath_ani_calibrate() > spin_lock_irqsave(&common->cc_lock, flags); > ath_update_survey_stats() > ath_update_survey_nf() > survey->filled |= SURVEY_INFO_NOISE_DBM; > > The identical variables sc->cur_survey->filled and > sc->survey[pos].filled is accessed without holding this lock, through: > ath9k_config() > ath_chanctx_set_channel() > ath_set_channel() > sc->cur_survey->filled &= ~SURVEY_INFO_IN_USE; > sc->cur_survey->filled |= SURVEY_INFO_IN_USE; > else if (!(sc->survey[pos].filled & SURVEY_INFO_IN_USE)) > ath_update_survey_nf > survey->filled |= SURVEY_INFO_NOISE_DBM; > > Thus, possible data races may occur. > > To fix these data races, in ath_set_channel(), these variables are > accessed with holding the spinlock common->cc_lock. > > These data races are found by the runtime testing of our tool DILP-2. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@xxxxxxxxx> I think a much better solution would be to stop common->ani.timer earlier in ath_set_channel to prevent this race from occurring. - Felix
