Xiaomeng Tong <xiam0nd.tong@xxxxxxxxx> writes:
> The bug is here: "} else if (item) {".
>
> The list iterator value will *always* be set and non-NULL by
> list_for_each_entry(), so it is incorrect to assume that the iterator
> value will be NULL if the list is empty or no element is found in list.
>
> Use a new value 'iter' as the list iterator, while use the old value
> 'item' as a dedicated pointer to point to the found element, which
> 1. can fix this bug, due to now 'item' is NULL only if it's not found.
> 2. do not need to change all the uses of 'item' after the loop.
> 3. can also limit the scope of the list iterator 'iter' *only inside*
> the traversal loop by simply declaring 'iter' inside the loop in the
> future, as usage of the iterator outside of the list_for_each_entry
> is considered harmful. https://lkml.org/lkml/2022/2/17/1032
>
> Fixes: a910e4a94f692 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
> Signed-off-by: Xiaomeng Tong <xiam0nd.tong@xxxxxxxxx>
> ---
> changes since v2:
> - rebase on latest wireless-next (Kalle Valo)
> changes since v1:
> - fix incorrect check to item (Jakob Koschel)
>
> v2: https://lore.kernel.org/lkml/20220320035436.11293-1-xiam0nd.tong@xxxxxxxxx/
> v1: https://lore.kernel.org/all/20220319063800.28791-1-xiam0nd.tong@xxxxxxxxx/
> ---
> drivers/net/wireless/st/cw1200/queue.c | 18 ++++++++++--------
> 1 file changed, 10 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/net/wireless/st/cw1200/queue.c b/drivers/net/wireless/st/cw1200/queue.c
> index e06da4b3b0d4..805a3c1bf8fe 100644
> --- a/drivers/net/wireless/st/cw1200/queue.c
> +++ b/drivers/net/wireless/st/cw1200/queue.c
> @@ -91,23 +91,25 @@ static void __cw1200_queue_gc(struct cw1200_queue *queue,
> bool unlock)
> {
> struct cw1200_queue_stats *stats = queue->stats;
> - struct cw1200_queue_item *item = NULL, *tmp;
> + struct cw1200_queue_item *item = NULL, *iter, *tmp;
> bool wakeup_stats = false;
>
> - list_for_each_entry_safe(item, tmp, &queue->queue, head) {
> - if (time_is_after_jiffies(item->queue_timestamp + queue->ttl))
> + list_for_each_entry_safe(iter, tmp, &queue->queue, head) {
> + if (time_is_after_jiffies(iter->queue_timestamp + queue->ttl)) {
> + item = iter;
> break;
> + }
> --queue->num_queued;
> - --queue->link_map_cache[item->txpriv.link_id];
> + --queue->link_map_cache[iter->txpriv.link_id];
> spin_lock_bh(&stats->lock);
> --stats->num_queued;
> - if (!--stats->link_map_cache[item->txpriv.link_id])
> + if (!--stats->link_map_cache[iter->txpriv.link_id])
> wakeup_stats = true;
> spin_unlock_bh(&stats->lock);
> cw1200_debug_tx_ttl(stats->priv);
> - cw1200_queue_register_post_gc(head, item);
> - item->skb = NULL;
> - list_move_tail(&item->head, &queue->free_pool);
> + cw1200_queue_register_post_gc(head, iter);
> + iter->skb = NULL;
> + list_move_tail(&iter->head, &queue->free_pool);
> }
>
> if (wakeup_stats)
I started to look at this myself. I don't know if I'm missing something,
but is the time_is_after_jiffies() really correct? This was added by
Wang in commit 8cbc3d51b4ae ("cw1200: use time_is_after_jiffies()
instead of open coding it"):
- if (jiffies - item->queue_timestamp < queue->ttl)
+ if (time_is_after_jiffies(item->queue_timestamp + queue->ttl))
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8cbc3d51b4ae
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
