From nobody Mon Dec 27 19:11:52 2021
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 41E0E192704A;
	Mon, 27 Dec 2021 19:11:58 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JN6jR0d8Wz3w9C;
	Mon, 27 Dec 2021 19:11:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5C9BD235C7;
	Mon, 27 Dec 2021 19:11:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BRJBqSr037738;
	Mon, 27 Dec 2021 19:11:52 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BRJBqlF037737;
	Mon, 27 Dec 2021 19:11:52 GMT
	(envelope-from git)
Date: Mon, 27 Dec 2021 19:11:52 GMT
Message-Id: <202112271911.1BRJBqlF037737@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Subject: git: 586c8e323305 - main - iwlwifi: plug memory modified after free
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: bz
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 586c8e32330591693c5fca4e089d90340b313f5d
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1640632316;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=3un+Ea4jdsqxFPaLLNLlGYRzgWqpgkqbLOkyxnRGaew=;
	b=WTCWk6+0cC9hA8VMBT08ifcTF/+nKWkAnhKHeaMuhvMRpzpjJcOG6LC/nqhjsWop/swwuK
	zPy68oQvFAlZGYb/OnzL59EfmS4Q2g0lKkBkmP8tcWbZxXJ482cODZS+8DIPYDzNPJ8J5m
	ptLXQRl0kUZlHlavcI+X9FhYPtMso30SwlXhXu66D12KvO7ZtM1iXKCHRml5YhF9o+HCjj
	jMTe/K7xte5SI8+o0hz0/51xG9X87dVOT6fNAgBjU7p+JFlsGIjlrhVWv6DTWNq+ND/WUq
	CNk3Lc2bpN72ARdqaBbETqrmDoK7HGr2F+olsac+yvkZxguvJjT+WMTxlaWhqg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1640632316; a=rsa-sha256; cv=none;
	b=Upih/dgSQgqXEQ8CyJmcxYg8F/gZAPCs9ox/csnaMjPKOCWk2Bx61/VX0RhhD7e8jo8gEy
	V/rb0g4VYGulaHcW1sC1n1d5x+N3rrjOsVMm57AhPmR31D3MTmitCOKXKncb31rv1noV4E
	cu8RON99+RJAZlHtbLrBJSFRLbywXK6DsH3G4DW/a/QJcZ83/BaoAQTZQgfS5YXi1IjTiE
	QYHNMeYS5Cz6/9XA5biMlWpgkcjNrw+xkKsPFz72MrFmRUdO9r7kIf4vMAKt5jaYo+prRU
	epbhstqbmQmMFZZuBs3fqEFZjrKFcRXQJbY/m1ufspGbqqtGQlolpoHPpdsVUw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by bz:

URL: https://cgit.FreeBSD.org/src/commit/?id=586c8e32330591693c5fca4e089d90340b313f5d

commit 586c8e32330591693c5fca4e089d90340b313f5d
Author:     Bjoern A. Zeeb <bz@FreeBSD.org>
AuthorDate: 2021-12-27 17:42:51 +0000
Commit:     Bjoern A. Zeeb <bz@FreeBSD.org>
CommitDate: 2021-12-27 18:47:26 +0000

    iwlwifi: plug memory modified after free
    
    In certain situations we saw a memory modified after free.  This was
    tracked down to a pointer not NULLed after free and used in a different
    code path.  It is unclear how the race happens pending further
    investigation but setting the pointer to NULL after free and adding a
    check in the 2nd code path handling the case gracefully helps for now.
    
    While here improve another debug messge in sta handling.
    
    Sponsored by:   The FreeBSD Foundation
    MFC after:      3 days
---
 sys/contrib/dev/iwlwifi/mvm/rxmq.c | 2 ++
 sys/contrib/dev/iwlwifi/mvm/sta.c  | 8 +++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/sys/contrib/dev/iwlwifi/mvm/rxmq.c b/sys/contrib/dev/iwlwifi/mvm/rxmq.c
index feb1afd65f87..a29cfbfc99a4 100644
--- a/sys/contrib/dev/iwlwifi/mvm/rxmq.c
+++ b/sys/contrib/dev/iwlwifi/mvm/rxmq.c
@@ -506,6 +506,8 @@ static bool iwl_mvm_is_dup(struct ieee80211_sta *sta, int queue,
 		return false;
 
 	mvm_sta = iwl_mvm_sta_from_mac80211(sta);
+	if (WARN_ON(mvm_sta->dup_data == NULL))
+		return false;
 	dup_data = &mvm_sta->dup_data[queue];
 
 	/*
diff --git a/sys/contrib/dev/iwlwifi/mvm/sta.c b/sys/contrib/dev/iwlwifi/mvm/sta.c
index f7f2263c3ca4..70267a6cd4b4 100644
--- a/sys/contrib/dev/iwlwifi/mvm/sta.c
+++ b/sys/contrib/dev/iwlwifi/mvm/sta.c
@@ -1734,8 +1734,8 @@ int iwl_mvm_drain_sta(struct iwl_mvm *mvm, struct iwl_mvm_sta *mvmsta,
 		break;
 	default:
 		ret = -EIO;
-		IWL_ERR(mvm, "Couldn't drain frames for staid %d\n",
-			mvmsta->sta_id);
+		IWL_ERR(mvm, "Couldn't drain frames for staid %d, status %#x\n",
+			mvmsta->sta_id, status);
 		break;
 	}
 
@@ -1835,8 +1835,10 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm,
 
 	lockdep_assert_held(&mvm->mutex);
 
-	if (iwl_mvm_has_new_rx_api(mvm))
+	if (iwl_mvm_has_new_rx_api(mvm)) {
 		kfree(mvm_sta->dup_data);
+		mvm_sta->dup_data = NULL;
+	}
 
 	ret = iwl_mvm_drain_sta(mvm, mvm_sta, true);
 	if (ret)