git: eaa27f02da9c - stable/13 - iwlwifi: plug memory modified after free

Thu, 30 Dec 2021 11:27:47 -0800 

The branch stable/13 has been updated by bz:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=eaa27f02da9cf729c0be7d6fe4616426727b61c0

commit eaa27f02da9cf729c0be7d6fe4616426727b61c0
Author:     Bjoern A. Zeeb <[email protected]>
AuthorDate: 2021-12-27 17:42:51 +0000
Commit:     Bjoern A. Zeeb <[email protected]>
CommitDate: 2021-12-30 18:28:51 +0000

    iwlwifi: plug memory modified after free
    
    In certain situations we saw a memory modified after free.  This was
    tracked down to a pointer not NULLed after free and used in a different
    code path.  It is unclear how the race happens pending further
    investigation but setting the pointer to NULL after free and adding a
    check in the 2nd code path handling the case gracefully helps for now.
    
    While here improve another debug messge in sta handling.
    
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 586c8e32330591693c5fca4e089d90340b313f5d)
---
 sys/contrib/dev/iwlwifi/mvm/rxmq.c | 2 ++
 sys/contrib/dev/iwlwifi/mvm/sta.c  | 8 +++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/sys/contrib/dev/iwlwifi/mvm/rxmq.c 
b/sys/contrib/dev/iwlwifi/mvm/rxmq.c
index feb1afd65f87..a29cfbfc99a4 100644
--- a/sys/contrib/dev/iwlwifi/mvm/rxmq.c
+++ b/sys/contrib/dev/iwlwifi/mvm/rxmq.c
@@ -506,6 +506,8 @@ static bool iwl_mvm_is_dup(struct ieee80211_sta *sta, int 
queue,
                return false;
 
        mvm_sta = iwl_mvm_sta_from_mac80211(sta);
+       if (WARN_ON(mvm_sta->dup_data == NULL))
+               return false;
        dup_data = &mvm_sta->dup_data[queue];
 
        /*
diff --git a/sys/contrib/dev/iwlwifi/mvm/sta.c 
b/sys/contrib/dev/iwlwifi/mvm/sta.c
index f7f2263c3ca4..70267a6cd4b4 100644
--- a/sys/contrib/dev/iwlwifi/mvm/sta.c
+++ b/sys/contrib/dev/iwlwifi/mvm/sta.c
@@ -1734,8 +1734,8 @@ int iwl_mvm_drain_sta(struct iwl_mvm *mvm, struct 
iwl_mvm_sta *mvmsta,
                break;
        default:
                ret = -EIO;
-               IWL_ERR(mvm, "Couldn't drain frames for staid %d\n",
-                       mvmsta->sta_id);
+               IWL_ERR(mvm, "Couldn't drain frames for staid %d, status %#x\n",
+                       mvmsta->sta_id, status);
                break;
        }
 
@@ -1835,8 +1835,10 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm,
 
        lockdep_assert_held(&mvm->mutex);
 
-       if (iwl_mvm_has_new_rx_api(mvm))
+       if (iwl_mvm_has_new_rx_api(mvm)) {
                kfree(mvm_sta->dup_data);
+               mvm_sta->dup_data = NULL;
+       }
 
        ret = iwl_mvm_drain_sta(mvm, mvm_sta, true);
        if (ret)

Reply via email to