Potential data race in drivers/net/ethernet/sis/sis190.ko

From: Pavel Andrianov
Date: Mon Aug 15 2016 - 09:00:35 EST


Hi!

There is a potential data race in drivers/net/ethernet/sis/sis190.ko.

Regard such situation:

CPU 1 CPU 2

...
->sis190_open
- registers interrupts
...
->sis190_tx_timeout
- is called at some point
->sis190_tx_clear
skb = tp->Tx_skbuff[i]
[skb != null]

an interrupt comes to CPU 2

-> sis190_irq
-> sis190_tx_interrupt
skb = tp->Tx_skbuff[entry];
...
-> dev_kfree_skb_irq(skb)
->dev_kfree_skb(skb)

In this case the skb is freed twice. Likely, in the interrupt handler the same spinlock should be acquired as in
sis190_tx_timeout.

--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andrianov@xxxxxxxxx