diff options
| author | Amitkumar Karwar <akarwar@marvell.com> | 2013-03-15 21:47:05 -0400 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2013-03-18 15:20:36 -0400 |
| commit | 00d7ea11ff0783e24fe70778f3141270b561aaa1 (patch) | |
| tree | 7b1275391f76d2202dc884c9a2b53e0715127c3b /drivers/net/wireless/mwifiex | |
| parent | 01d4ab96d2e7fceaad204e5a8710ce34e229b8c5 (diff) | |
mwifiex: fix race when queuing commands
Running the following script repeatedly on XO-4 with SD8787
produces command timeout and system lockup.
insmod mwifiex_sdio.ko
sleep 1
ifconfig eth0 up
iwlist eth0 scan &
sleep 0.5
rmmod mwifiex_sdio
mwifiex_send_cmd_async() is called for sync as well as async
commands. (mwifiex_send_cmd_sync() internally calls it for
sync command.)
"adapter->cmd_queued" gets filled inside mwifiex_send_cmd_async()
routine for both types of commands. But it is used only for sync
commands in mwifiex_wait_queue_complete(). This could lead to a
race when two threads try to queue a sync command with another
sync/async command simultaneously.
Get rid of global variable and pass command node as a parameter
to mwifiex_wait_queue_complete() to fix the problem.
Cc: <stable@vger.kernel.org> # 3.8
Reported-by: Daniel Drake <dsd@laptop.org>
Tested-by: Daniel Drake <dsd@laptop.org>
Tested-by: Marco Cesarano <marco@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/mwifiex')
| -rw-r--r-- | drivers/net/wireless/mwifiex/cmdevt.c | 5 | ||||
| -rw-r--r-- | drivers/net/wireless/mwifiex/main.h | 4 | ||||
| -rw-r--r-- | drivers/net/wireless/mwifiex/scan.c | 8 | ||||
| -rw-r--r-- | drivers/net/wireless/mwifiex/sta_ioctl.c | 10 |
4 files changed, 10 insertions, 17 deletions
diff --git a/drivers/net/wireless/mwifiex/cmdevt.c b/drivers/net/wireless/mwifiex/cmdevt.c index 20a6c5555873..2ffabddbcfca 100644 --- a/drivers/net/wireless/mwifiex/cmdevt.c +++ b/drivers/net/wireless/mwifiex/cmdevt.c | |||
| @@ -484,8 +484,6 @@ int mwifiex_send_cmd_sync(struct mwifiex_private *priv, uint16_t cmd_no, | |||
| 484 | 484 | ||
| 485 | ret = mwifiex_send_cmd_async(priv, cmd_no, cmd_action, cmd_oid, | 485 | ret = mwifiex_send_cmd_async(priv, cmd_no, cmd_action, cmd_oid, |
| 486 | data_buf); | 486 | data_buf); |
| 487 | if (!ret) | ||
| 488 | ret = mwifiex_wait_queue_complete(adapter); | ||
| 489 | 487 | ||
| 490 | return ret; | 488 | return ret; |
| 491 | } | 489 | } |
| @@ -588,9 +586,10 @@ int mwifiex_send_cmd_async(struct mwifiex_private *priv, uint16_t cmd_no, | |||
| 588 | if (cmd_no == HostCmd_CMD_802_11_SCAN) { | 586 | if (cmd_no == HostCmd_CMD_802_11_SCAN) { |
| 589 | mwifiex_queue_scan_cmd(priv, cmd_node); | 587 | mwifiex_queue_scan_cmd(priv, cmd_node); |
| 590 | } else { | 588 | } else { |
| 591 | adapter->cmd_queued = cmd_node; | ||
| 592 | mwifiex_insert_cmd_to_pending_q(adapter, cmd_node, true); | 589 | mwifiex_insert_cmd_to_pending_q(adapter, cmd_node, true); |
| 593 | queue_work(adapter->workqueue, &adapter->main_work); | 590 | queue_work(adapter->workqueue, &adapter->main_work); |
| 591 | if (cmd_node->wait_q_enabled) | ||
| 592 | ret = mwifiex_wait_queue_complete(adapter, cmd_node); | ||
| 594 | } | 593 | } |
| 595 | 594 | ||
| 596 | return ret; | 595 | return ret; |
diff --git a/drivers/net/wireless/mwifiex/main.h b/drivers/net/wireless/mwifiex/main.h index 553adfb0aa81..7035ade9af74 100644 --- a/drivers/net/wireless/mwifiex/main.h +++ b/drivers/net/wireless/mwifiex/main.h | |||
| @@ -723,7 +723,6 @@ struct mwifiex_adapter { | |||
| 723 | u16 cmd_wait_q_required; | 723 | u16 cmd_wait_q_required; |
| 724 | struct mwifiex_wait_queue cmd_wait_q; | 724 | struct mwifiex_wait_queue cmd_wait_q; |
| 725 | u8 scan_wait_q_woken; | 725 | u8 scan_wait_q_woken; |
| 726 | struct cmd_ctrl_node *cmd_queued; | ||
| 727 | spinlock_t queue_lock; /* lock for tx queues */ | 726 | spinlock_t queue_lock; /* lock for tx queues */ |
| 728 | struct completion fw_load; | 727 | struct completion fw_load; |
| 729 | u8 country_code[IEEE80211_COUNTRY_STRING_LEN]; | 728 | u8 country_code[IEEE80211_COUNTRY_STRING_LEN]; |
| @@ -1018,7 +1017,8 @@ int mwifiex_request_set_multicast_list(struct mwifiex_private *priv, | |||
| 1018 | struct mwifiex_multicast_list *mcast_list); | 1017 | struct mwifiex_multicast_list *mcast_list); |
| 1019 | int mwifiex_copy_mcast_addr(struct mwifiex_multicast_list *mlist, | 1018 | int mwifiex_copy_mcast_addr(struct mwifiex_multicast_list *mlist, |
| 1020 | struct net_device *dev); | 1019 | struct net_device *dev); |
| 1021 | int mwifiex_wait_queue_complete(struct mwifiex_adapter *adapter); | 1020 | int mwifiex_wait_queue_complete(struct mwifiex_adapter *adapter, |
| 1021 | struct cmd_ctrl_node *cmd_queued); | ||
| 1022 | int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss, | 1022 | int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss, |
| 1023 | struct cfg80211_ssid *req_ssid); | 1023 | struct cfg80211_ssid *req_ssid); |
| 1024 | int mwifiex_cancel_hs(struct mwifiex_private *priv, int cmd_type); | 1024 | int mwifiex_cancel_hs(struct mwifiex_private *priv, int cmd_type); |
diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c index bb60c2754a97..d215b4d3c51b 100644 --- a/drivers/net/wireless/mwifiex/scan.c +++ b/drivers/net/wireless/mwifiex/scan.c | |||
| @@ -1388,10 +1388,13 @@ int mwifiex_scan_networks(struct mwifiex_private *priv, | |||
| 1388 | list_del(&cmd_node->list); | 1388 | list_del(&cmd_node->list); |
| 1389 | spin_unlock_irqrestore(&adapter->scan_pending_q_lock, | 1389 | spin_unlock_irqrestore(&adapter->scan_pending_q_lock, |
| 1390 | flags); | 1390 | flags); |
| 1391 | adapter->cmd_queued = cmd_node; | ||
| 1392 | mwifiex_insert_cmd_to_pending_q(adapter, cmd_node, | 1391 | mwifiex_insert_cmd_to_pending_q(adapter, cmd_node, |
| 1393 | true); | 1392 | true); |
| 1394 | queue_work(adapter->workqueue, &adapter->main_work); | 1393 | queue_work(adapter->workqueue, &adapter->main_work); |
| 1394 | |||
| 1395 | /* Perform internal scan synchronously */ | ||
| 1396 | if (!priv->scan_request) | ||
| 1397 | mwifiex_wait_queue_complete(adapter, cmd_node); | ||
| 1395 | } else { | 1398 | } else { |
| 1396 | spin_unlock_irqrestore(&adapter->scan_pending_q_lock, | 1399 | spin_unlock_irqrestore(&adapter->scan_pending_q_lock, |
| 1397 | flags); | 1400 | flags); |
| @@ -1946,9 +1949,6 @@ int mwifiex_request_scan(struct mwifiex_private *priv, | |||
| 1946 | /* Normal scan */ | 1949 | /* Normal scan */ |
| 1947 | ret = mwifiex_scan_networks(priv, NULL); | 1950 | ret = mwifiex_scan_networks(priv, NULL); |
| 1948 | 1951 | ||
| 1949 | if (!ret) | ||
| 1950 | ret = mwifiex_wait_queue_complete(priv->adapter); | ||
| 1951 | |||
| 1952 | up(&priv->async_sem); | 1952 | up(&priv->async_sem); |
| 1953 | 1953 | ||
| 1954 | return ret; | 1954 | return ret; |
diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c index 9f33c92c90f5..13100f8de3db 100644 --- a/drivers/net/wireless/mwifiex/sta_ioctl.c +++ b/drivers/net/wireless/mwifiex/sta_ioctl.c | |||
| @@ -54,16 +54,10 @@ int mwifiex_copy_mcast_addr(struct mwifiex_multicast_list *mlist, | |||
| 54 | * This function waits on a cmd wait queue. It also cancels the pending | 54 | * This function waits on a cmd wait queue. It also cancels the pending |
| 55 | * request after waking up, in case of errors. | 55 | * request after waking up, in case of errors. |
| 56 | */ | 56 | */ |
| 57 | int mwifiex_wait_queue_complete(struct mwifiex_adapter *adapter) | 57 | int mwifiex_wait_queue_complete(struct mwifiex_adapter *adapter, |
| 58 | struct cmd_ctrl_node *cmd_queued) | ||
| 58 | { | 59 | { |
| 59 | int status; | 60 | int status; |
| 60 | struct cmd_ctrl_node *cmd_queued; | ||
| 61 | |||
| 62 | if (!adapter->cmd_queued) | ||
| 63 | return 0; | ||
| 64 | |||
| 65 | cmd_queued = adapter->cmd_queued; | ||
| 66 | adapter->cmd_queued = NULL; | ||
| 67 | 61 | ||
| 68 | dev_dbg(adapter->dev, "cmd pending\n"); | 62 | dev_dbg(adapter->dev, "cmd pending\n"); |
| 69 | atomic_inc(&adapter->cmd_pending); | 63 | atomic_inc(&adapter->cmd_pending); |