admin/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2025-12-07 20:06:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

wifi: rtw89: splice C2H events queue to local to prevent racing

Browse Source 
RX task enqueues C2H events and fork a C2H work to handle events, but
the work uses skb_queue_walk_safe() without a lock causing potential
racing. Use skb_queue_splice() and its friends with spin_lock to splice
the queue to local, and then still use skb_queue_walk_safe() to iterate
all events.

Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20251021133402.15467-2-pkshih@realtek.com
This commit is contained in:
Ping-Ke Shih
2025-10-21 21:33:55 +08:00
parent 9b567039e5
commit b47d748110
1 changed files with 22 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
drivers/net/wireless/realtek/rtw89/fw.c
View File

@@ -6891,11 +6891,18 @@ void rtw89_fw_c2h_work(struct wiphy *wiphy, struct wiphy_work *work)
struct rtw89_dev *rtwdev = container_of(work, struct rtw89_dev,
c2h_work);
struct sk_buff *skb, *tmp;
struct sk_buff_head c2hq;
unsigned long flags;
lockdep_assert_wiphy(rtwdev->hw->wiphy);
skb_queue_walk_safe(&rtwdev->c2h_queue, skb, tmp) {
skb_unlink(skb, &rtwdev->c2h_queue);
__skb_queue_head_init(&c2hq);
spin_lock_irqsave(&rtwdev->c2h_queue.lock, flags);
skb_queue_splice_init(&rtwdev->c2h_queue, &c2hq);
spin_unlock_irqrestore(&rtwdev->c2h_queue.lock, flags);
skb_queue_walk_safe(&c2hq, skb, tmp) {
rtw89_fw_c2h_cmd_handle(rtwdev, skb);
dev_kfree_skb_any(skb);
}
@@ -6905,18 +6912,20 @@ void rtw89_fw_c2h_purge_obsoleted_scan_events(struct rtw89_dev *rtwdev)
{
struct rtw89_hw_scan_info *scan_info = &rtwdev->scan_info;
struct sk_buff *skb, *tmp;
int limit;
struct sk_buff_head c2hq;
unsigned long flags;
lockdep_assert_wiphy(rtwdev->hw->wiphy);
limit = skb_queue_len(&rtwdev->c2h_queue);
__skb_queue_head_init(&c2hq);
skb_queue_walk_safe(&rtwdev->c2h_queue, skb, tmp) {
spin_lock_irqsave(&rtwdev->c2h_queue.lock, flags);
skb_queue_splice_init(&rtwdev->c2h_queue, &c2hq);
spin_unlock_irqrestore(&rtwdev->c2h_queue.lock, flags);
skb_queue_walk_safe(&c2hq, skb, tmp) {
struct rtw89_fw_c2h_attr *attr = RTW89_SKB_C2H_CB(skb);
if (--limit < 0)
return;
if (!attr->is_scan_event || attr->scan_seq == scan_info->seq)
continue;
@@ -6924,9 +6933,13 @@ void rtw89_fw_c2h_purge_obsoleted_scan_events(struct rtw89_dev *rtwdev)
"purge obsoleted scan event with seq=%d (cur=%d)\n",
attr->scan_seq, scan_info->seq);
skb_unlink(skb, &rtwdev->c2h_queue);
__skb_unlink(skb, &c2hq);
dev_kfree_skb_any(skb);
}
spin_lock_irqsave(&rtwdev->c2h_queue.lock, flags);
skb_queue_splice(&c2hq, &rtwdev->c2h_queue);
spin_unlock_irqrestore(&rtwdev->c2h_queue.lock, flags);
}
static int rtw89_fw_write_h2c_reg(struct rtw89_dev *rtwdev,