wifi: iwlwifi: read txq->read_ptr under lock

If we read txq->read_ptr without lock, we can read the same
value twice, then obtain the lock, and reclaim from there
to two different places, but crucially reclaim the same
entry twice, resulting in the WARN_ONCE() a little later.
Fix that by reading txq->read_ptr under lock.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20240319100755.bf4c62196504.I978a7ca56c6bd6f1bf42c15aa923ba03366a840b@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/drivers/net/wireless/intel/iwlwifi/queue/tx.c b/drivers/net/wireless/intel/iwlwifi/queue/tx.c
index 33973a60d0bf4165e71573807d8791cede555a3d..6229c785c8457616834cac32fc19c59b31f5c24e 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/queue/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/queue/tx.c
@@ -1589,9 +1589,9 @@ void iwl_txq_reclaim(struct iwl_trans *trans, int txq_id, int ssn,
                return;
 
        tfd_num = iwl_txq_get_cmd_index(txq, ssn);
-       read_ptr = iwl_txq_get_cmd_index(txq, txq->read_ptr);
 
        spin_lock_bh(&txq->lock);
+       read_ptr = iwl_txq_get_cmd_index(txq, txq->read_ptr);
 
        if (!test_bit(txq_id, trans->txqs.queue_used)) {
                IWL_DEBUG_TX_QUEUES(trans, "Q %d inactive - ignoring idx %d\n",