diff options
author | Andreas Fenkart <afenkart@gmail.com> | 2015-07-17 10:13:05 +0300 |
---|---|---|
committer | Kalle Valo <kvalo@codeaurora.org> | 2015-08-06 10:09:09 +0300 |
commit | e9f21d403699a4d299a02df107326f11acecd13e (patch) | |
tree | 81b66a6c7542c48ad85b4769cb113089decc6090 | |
parent | aeb03000837eec7df4f57034106542efd60be02b (diff) | |
download | linux-e9f21d403699a4d299a02df107326f11acecd13e.tar.xz |
mwifiex: remove CMD_F_CANCELED flag
CMD_F_CANCELED was used to abort mwifiex_process_cmdresp in
case it already started or starts processing the cmd.
But this was probably not working the way intended:
- it is racy: mwifiex_process_cmdresp might already have passed that
test and is continuing to use the cmd node being recycled
- mwifiex_process_cmdresp repeatedly uses adapter->curr_cmd which
we just set to NULL
- mwifiex_recycle_cmd_node will clear the flag
The reason why it probably works is that mwifiex_cancel_pending_ioctl
is only called from mwifiex_cmd_timeout_func, where the there is little
chance of a command response still arriving
Signed-off-by: Andreas Fenkart <afenkart@gmail.com>
Acked-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-rw-r--r-- | drivers/net/wireless/mwifiex/cmdevt.c | 23 | ||||
-rw-r--r-- | drivers/net/wireless/mwifiex/fw.h | 1 |
2 files changed, 10 insertions, 14 deletions
diff --git a/drivers/net/wireless/mwifiex/cmdevt.c b/drivers/net/wireless/mwifiex/cmdevt.c index 87b6dee2b049..6458e17304ca 100644 --- a/drivers/net/wireless/mwifiex/cmdevt.c +++ b/drivers/net/wireless/mwifiex/cmdevt.c @@ -807,17 +807,6 @@ int mwifiex_process_cmdresp(struct mwifiex_adapter *adapter) adapter->is_cmd_timedout = 0; resp = (struct host_cmd_ds_command *) adapter->curr_cmd->resp_skb->data; - if (adapter->curr_cmd->cmd_flag & CMD_F_CANCELED) { - mwifiex_dbg(adapter, ERROR, - "CMD_RESP: %#x been canceled\n", - le16_to_cpu(resp->command)); - mwifiex_recycle_cmd_node(adapter, adapter->curr_cmd); - spin_lock_irqsave(&adapter->mwifiex_cmd_lock, flags); - adapter->curr_cmd = NULL; - spin_unlock_irqrestore(&adapter->mwifiex_cmd_lock, flags); - return -1; - } - if (adapter->curr_cmd->cmd_flag & CMD_F_HOSTCMD) { /* Copy original response back to response buffer */ struct mwifiex_ds_misc_cmd *hostcmd; @@ -1090,10 +1079,18 @@ mwifiex_cancel_pending_ioctl(struct mwifiex_adapter *adapter) (adapter->curr_cmd->wait_q_enabled)) { spin_lock_irqsave(&adapter->mwifiex_cmd_lock, cmd_flags); cmd_node = adapter->curr_cmd; - cmd_node->cmd_flag |= CMD_F_CANCELED; - mwifiex_recycle_cmd_node(adapter, cmd_node); + /* setting curr_cmd to NULL is quite dangerous, because + * mwifiex_process_cmdresp checks curr_cmd to be != NULL + * at the beginning then relies on it and dereferences + * it at will + * this probably works since mwifiex_cmd_timeout_func + * is the only caller of this function and responses + * at that point + */ adapter->curr_cmd = NULL; spin_unlock_irqrestore(&adapter->mwifiex_cmd_lock, cmd_flags); + + mwifiex_recycle_cmd_node(adapter, cmd_node); } /* Cancel all pending scan command */ diff --git a/drivers/net/wireless/mwifiex/fw.h b/drivers/net/wireless/mwifiex/fw.h index cff38ad129aa..9a8c1832d068 100644 --- a/drivers/net/wireless/mwifiex/fw.h +++ b/drivers/net/wireless/mwifiex/fw.h @@ -438,7 +438,6 @@ enum P2P_MODES { #define CMD_F_HOSTCMD (1 << 0) -#define CMD_F_CANCELED (1 << 1) #define HostCmd_CMD_ID_MASK 0x0fff |