mirror of https://github.com/torvalds/linux.git
82fca3d8a4
Protect access to fore200e->available_cell_rate with rate_mtx lock in the
error handling path of fore200e_open() to prevent a data race.
The field fore200e->available_cell_rate is a shared resource used to track
available bandwidth. It is concurrently accessed by fore200e_open(),
fore200e_close(), and fore200e_change_qos().
In fore200e_open(), the lock rate_mtx is correctly held when subtracting
vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth.
However, if the subsequent call to fore200e_activate_vcin() fails, the
function restores the reserved bandwidth by adding back to
available_cell_rate without holding the lock.
This introduces a race condition because available_cell_rate is a global
device resource shared across all VCCs. If the error path in
fore200e_open() executes concurrently with operations like
fore200e_close() or fore200e_change_qos() on other VCCs, a
read-modify-write race occurs.
Specifically, the error path reads the rate without the lock. If another
CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in
fore200e_close()) between this read and the subsequent write, the error
path will overwrite the concurrent update with a stale value. This results
in incorrect bandwidth accounting.
Fixes:
|
||
|---|---|---|
| .. | ||
| .gitignore | ||
| Kconfig | ||
| Makefile | ||
| adummy.c | ||
| atmtcp.c | ||
| eni.c | ||
| eni.h | ||
| fore200e.c | ||
| fore200e.h | ||
| he.c | ||
| he.h | ||
| idt77105.c | ||
| idt77105.h | ||
| idt77252.c | ||
| idt77252.h | ||
| idt77252_tables.h | ||
| iphase.c | ||
| iphase.h | ||
| lanai.c | ||
| midway.h | ||
| nicstar.c | ||
| nicstar.h | ||
| nicstarmac.c | ||
| nicstarmac.copyright | ||
| solos-attrlist.c | ||
| solos-pci.c | ||
| suni.c | ||
| suni.h | ||
| tonga.h | ||
| zeprom.h | ||