ath11k: fix potential wmi_mgmt_tx_queue race condition

There is a potential race condition between skb_queue_len()
and skb_queue_tail(), the former may get old value before
updated by the latter.

So use skb_queue_len_lockless() instead. And also use '>=',
in case we queue a few SKBs simultaneously.

Found while discussing a similar fix for ath10k:
https://patchwork.kernel.org/project/linux-wireless/patch/1608515579-1066-1-git-send-email-miaoqing@codeaurora.org/

No functional changes, compile tested only.

Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1613630709-704-1-git-send-email-miaoqing@codeaurora.org

diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
index 335d49af7dd5f7bfef5cd2c709ced9cad7aa6f46..3c1f35a204ba53d81c66ce45431138c29485e656 100644 (file)
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -4211,7 +4211,7 @@ static int ath11k_mac_mgmt_tx(struct ath11k *ar, struct sk_buff *skb,
                return -ENOSPC;
        }
 
-       if (skb_queue_len(q) == ATH11K_TX_MGMT_NUM_PENDING_MAX) {
+       if (skb_queue_len_lockless(q) >= ATH11K_TX_MGMT_NUM_PENDING_MAX) {
                ath11k_warn(ar->ab, "mgmt tx queue is full\n");
                return -ENOSPC;
        }