Patch "wifi: iwlwifi: mvm: Add locking to the rate read flow" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 5 Jun 2023 07:43:24 -0400

This is a note to let you know that I've just added the patch titled

    wifi: iwlwifi: mvm: Add locking to the rate read flow

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-iwlwifi-mvm-add-locking-to-the-rate-read-flow.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit a97a2607d6004d599fb9ed69aefad8962672add1
Author: Ariel Malamud <ariel.malamud@xxxxxxxxx>
Date:   Sun May 14 12:15:55 2023 +0300

    wifi: iwlwifi: mvm: Add locking to the rate read flow
    
    [ Upstream commit a8938bc881d2a03f9b77f19fae924fe798a01285 ]
    
    The rs_drv_get_rate flow reads the lq_sta to return the optimal rate
    for tx frames. This read flow is not protected thereby leaving
    a small window, a few instructions wide, open to contention by an
    asynchronous rate update. Indeed this race condition was hit and the
    update occurred in the middle of the read.
    
    Fix this by locking the lq_sta struct during read.
    
    Signed-off-by: Ariel Malamud <ariel.malamud@xxxxxxxxx>
    Signed-off-by: Gregory Greenman <gregory.greenman@xxxxxxxxx>
    Link: https://lore.kernel.org/r/20230514120631.b52c9ed5c379.I15290b78e0d966c1b68278263776ca9de841d5fe@changeid
    Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
index 0b50b816684a0..2be6801d48aca 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
@@ -2692,6 +2692,8 @@ static void rs_drv_get_rate(void *mvm_r, struct ieee80211_sta *sta,
 		return;
 
 	lq_sta = mvm_sta;
+
+	spin_lock(&lq_sta->pers.lock);
 	iwl_mvm_hwrate_to_tx_rate_v1(lq_sta->last_rate_n_flags,
 				     info->band, &info->control.rates[0]);
 	info->control.rates[0].count = 1;
@@ -2706,6 +2708,7 @@ static void rs_drv_get_rate(void *mvm_r, struct ieee80211_sta *sta,
 		iwl_mvm_hwrate_to_tx_rate_v1(last_ucode_rate, info->band,
 					     &txrc->reported_rate);
 	}
+	spin_unlock(&lq_sta->pers.lock);
 }
 
 static void *rs_drv_alloc_sta(void *mvm_rate, struct ieee80211_sta *sta,






