2d3b55853b
There was a race condition in SMP that an ath10k_peer was created but its
member sta was null. Following are procedures of ath10k_peer creation and
member sta access in peer statistics path.
1. Peer creation:
ath10k_peer_create()
=>ath10k_wmi_peer_create()
=>ath10k_wait_for_peer_created()
...
# another kernel path, RX from firmware
ath10k_htt_t2h_msg_handler()
=>ath10k_peer_map_event()
=>wake_up()
# ar->peer_map[id] = peer //add peer to map
#wake up original path from waiting
...
# peer->sta = sta //sta assignment
2. RX path of statistics
ath10k_htt_t2h_msg_handler()
=>ath10k_update_per_peer_tx_stats()
=>ath10k_htt_fetch_peer_stats()
# peer->sta //sta accessing
Any access of peer->sta after peer was added to peer_map but before sta was
assigned could cause a null pointer issue. And because these two steps are
asynchronous, no proper lock can protect them. So both peer and sta need to
be checked before access.
Tested: QCA9984 with firmware ver 10.4-3.9.0.1-00005
Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
||
|---|---|---|
| .. | ||
| admtek | ||
| ath | ||
| atmel | ||
| broadcom | ||
| cisco | ||
| intel | ||
| intersil | ||
| marvell | ||
| mediatek | ||
| quantenna | ||
| ralink | ||
| realtek | ||
| rsi | ||
| st | ||
| ti | ||
| zydas | ||
| Kconfig | ||
| mac80211_hwsim.c | ||
| mac80211_hwsim.h | ||
| Makefile | ||
| ray_cs.c | ||
| ray_cs.h | ||
| rayctl.h | ||
| rndis_wlan.c | ||
| wl3501_cs.c | ||
| wl3501.h | ||