| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Jun 2016 18:42:32 +0400 From: Pavel Andrianov <andrianov@...ras.ru> To: Eugene Krasnikov <k.eugene.e@...il.com> CC: Kalle Valo <kvalo@...eaurora.org>, wcn36xx@...ts.infradead.org, linux-wireless@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, ldv-project@...uxtesting.org, Vaishali Thakkar <vaishali.thakkar@...cle.com> Subject: [ldv-project] [net] wcn36xx: potential race condition Hi! There is a potential race condition in drivers/net/wireless/ath/wcn36xx/wcn36xx.ko. In wcn36xx_tx -> wcn36xx_start_tx -> wcn36xx_set_tx_data (http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/txrx.c#L176) there is a read of sta_priv->bss_dpu_desc_index and sta_priv->bss_sta_index. In wcn36xx_bss_info_changed -> wcn36xx_smd_config_bss -> wcn36xx_smd_config_bss_rsp (http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/smd.c#L1204) there is a write to the same fields. It seems that the handlers may be called in parallel and inconsistent data may be obtained. The same problem is with sta_priv->sta_index and sta_priv->sta_dpu_desc_index: http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/txrx.c#L181 http://lxr.free-electrons.com/source/drivers/net/wireless/ath/wcn36xx/smd.c#L986 Is it a real bug? Is it enough to add mutex_lock to wcn36xx_set_tx_data? -- Pavel Andrianov Linux Verification Center, ISPRAS web: http://linuxtesting.org e-mail: andrianov@...ras.ru
Powered by blists - more mailing lists