git: eaa27f02da9c - stable/13 - iwlwifi: plug memory modified after free

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Bjoern A. Zeeb <bz_at_FreeBSD.org>
Date: Thu, 30 Dec 2021 19:22:52 UTC
The branch stable/13 has been updated by bz:

URL: https://cgit.FreeBSD.org/src/commit/?id=eaa27f02da9cf729c0be7d6fe4616426727b61c0

commit eaa27f02da9cf729c0be7d6fe4616426727b61c0
Author:     Bjoern A. Zeeb <bz@FreeBSD.org>
AuthorDate: 2021-12-27 17:42:51 +0000
Commit:     Bjoern A. Zeeb <bz@FreeBSD.org>
CommitDate: 2021-12-30 18:28:51 +0000

    iwlwifi: plug memory modified after free
    
    In certain situations we saw a memory modified after free.  This was
    tracked down to a pointer not NULLed after free and used in a different
    code path.  It is unclear how the race happens pending further
    investigation but setting the pointer to NULL after free and adding a
    check in the 2nd code path handling the case gracefully helps for now.
    
    While here improve another debug messge in sta handling.
    
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 586c8e32330591693c5fca4e089d90340b313f5d)
---
 sys/contrib/dev/iwlwifi/mvm/rxmq.c | 2 ++
 sys/contrib/dev/iwlwifi/mvm/sta.c  | 8 +++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/sys/contrib/dev/iwlwifi/mvm/rxmq.c b/sys/contrib/dev/iwlwifi/mvm/rxmq.c
index feb1afd65f87..a29cfbfc99a4 100644
--- a/sys/contrib/dev/iwlwifi/mvm/rxmq.c
+++ b/sys/contrib/dev/iwlwifi/mvm/rxmq.c
@@ -506,6 +506,8 @@ static bool iwl_mvm_is_dup(struct ieee80211_sta *sta, int queue,
 		return false;
 
 	mvm_sta = iwl_mvm_sta_from_mac80211(sta);
+	if (WARN_ON(mvm_sta->dup_data == NULL))
+		return false;
 	dup_data = &mvm_sta->dup_data[queue];
 
 	/*
diff --git a/sys/contrib/dev/iwlwifi/mvm/sta.c b/sys/contrib/dev/iwlwifi/mvm/sta.c
index f7f2263c3ca4..70267a6cd4b4 100644
--- a/sys/contrib/dev/iwlwifi/mvm/sta.c
+++ b/sys/contrib/dev/iwlwifi/mvm/sta.c
@@ -1734,8 +1734,8 @@ int iwl_mvm_drain_sta(struct iwl_mvm *mvm, struct iwl_mvm_sta *mvmsta,
 		break;
 	default:
 		ret = -EIO;
-		IWL_ERR(mvm, "Couldn't drain frames for staid %d\n",
-			mvmsta->sta_id);
+		IWL_ERR(mvm, "Couldn't drain frames for staid %d, status %#x\n",
+			mvmsta->sta_id, status);
 		break;
 	}
 
@@ -1835,8 +1835,10 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm,
 
 	lockdep_assert_held(&mvm->mutex);
 
-	if (iwl_mvm_has_new_rx_api(mvm))
+	if (iwl_mvm_has_new_rx_api(mvm)) {
 		kfree(mvm_sta->dup_data);
+		mvm_sta->dup_data = NULL;
+	}
 
 	ret = iwl_mvm_drain_sta(mvm, mvm_sta, true);
 	if (ret)