From nobody Thu Dec 30 19:22:52 2021 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 44CF6191FED8; Thu, 30 Dec 2021 19:22:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JPypl0pHgz3C8J; Thu, 30 Dec 2021 19:22:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C343A1DF5E; Thu, 30 Dec 2021 19:22:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BUJMqem017669; Thu, 30 Dec 2021 19:22:52 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BUJMqnI017668; Thu, 30 Dec 2021 19:22:52 GMT (envelope-from git) Date: Thu, 30 Dec 2021 19:22:52 GMT Message-Id: <202112301922.1BUJMqnI017668@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: "Bjoern A. Zeeb" Subject: git: eaa27f02da9c - stable/13 - iwlwifi: plug memory modified after free List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bz X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: eaa27f02da9cf729c0be7d6fe4616426727b61c0 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1640892175; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=M2hAterRTahNX2fQuw2rVt0SJLf2sQWfczt+Id6bAZo=; b=yhLyBWxADIniUYG5o6H9AWrbO9HAv5A4O+roQxUrO23+9B5e0cGlWEAGTRDT7wCDAM3dZ8 ZVEQsj5ZF2qK5HeLgge61IZfumo2JSDqVEcajJ7BQN58SI57OaevMG4ZHHyLuyfr/HiCKQ XkNhqgNjL5ecqu0fE5vrwXBwDi1pcBy+KjIaUhCvy/h/BS/UAe/sbE+qL3GfgE2VmANNWw 4UkGZmdhj1gX9v+sjvXiQj5cLUjEhFYrIJtBVi1bH1LaMLD6CwikTJM/w3AhrnddfZEDYk Hd9Ud+LTfMQtB4LNMCAxQbdi39562nrLEj4LD5Djr9T+q5stg/3cZ8a1zm3FYw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1640892175; a=rsa-sha256; cv=none; b=MB+ZccRHVkt7CONGxvdTd6oEVnVQcjE+odB1BRBoOdqyt0RIFU9YkZ1GsKcZpJYO7riT5y TL35H4iR0uEYmILmle7tSzI31VZVAqq2sQPMJOuXkTsEZRtN2xExU8w2+nGMX9dgCRFmFT i4YoAP6HhHbE2r6GlFAtPraOdAFdAvBwUuAHyZQJbnDg/0eofRVKA2TiIQuPNCTNBLurHn JDRy3meDqOIj4AZhCEgW4z1Pwq9f/Ac1CBNCyh3yvFO9MuO/iiuX+jfT3kZecjk52zMAoq Mu3CB3hdduhZPR6d2UbpE9eZNpq5ozurBwfPmkWJ/J1p9Qqe66npdTHs+Uv6GA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by bz: URL: https://cgit.FreeBSD.org/src/commit/?id=eaa27f02da9cf729c0be7d6fe4616426727b61c0 commit eaa27f02da9cf729c0be7d6fe4616426727b61c0 Author: Bjoern A. Zeeb AuthorDate: 2021-12-27 17:42:51 +0000 Commit: Bjoern A. Zeeb CommitDate: 2021-12-30 18:28:51 +0000 iwlwifi: plug memory modified after free In certain situations we saw a memory modified after free. This was tracked down to a pointer not NULLed after free and used in a different code path. It is unclear how the race happens pending further investigation but setting the pointer to NULL after free and adding a check in the 2nd code path handling the case gracefully helps for now. While here improve another debug messge in sta handling. Sponsored by: The FreeBSD Foundation (cherry picked from commit 586c8e32330591693c5fca4e089d90340b313f5d) --- sys/contrib/dev/iwlwifi/mvm/rxmq.c | 2 ++ sys/contrib/dev/iwlwifi/mvm/sta.c | 8 +++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/sys/contrib/dev/iwlwifi/mvm/rxmq.c b/sys/contrib/dev/iwlwifi/mvm/rxmq.c index feb1afd65f87..a29cfbfc99a4 100644 --- a/sys/contrib/dev/iwlwifi/mvm/rxmq.c +++ b/sys/contrib/dev/iwlwifi/mvm/rxmq.c @@ -506,6 +506,8 @@ static bool iwl_mvm_is_dup(struct ieee80211_sta *sta, int queue, return false; mvm_sta = iwl_mvm_sta_from_mac80211(sta); + if (WARN_ON(mvm_sta->dup_data == NULL)) + return false; dup_data = &mvm_sta->dup_data[queue]; /* diff --git a/sys/contrib/dev/iwlwifi/mvm/sta.c b/sys/contrib/dev/iwlwifi/mvm/sta.c index f7f2263c3ca4..70267a6cd4b4 100644 --- a/sys/contrib/dev/iwlwifi/mvm/sta.c +++ b/sys/contrib/dev/iwlwifi/mvm/sta.c @@ -1734,8 +1734,8 @@ int iwl_mvm_drain_sta(struct iwl_mvm *mvm, struct iwl_mvm_sta *mvmsta, break; default: ret = -EIO; - IWL_ERR(mvm, "Couldn't drain frames for staid %d\n", - mvmsta->sta_id); + IWL_ERR(mvm, "Couldn't drain frames for staid %d, status %#x\n", + mvmsta->sta_id, status); break; } @@ -1835,8 +1835,10 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm, lockdep_assert_held(&mvm->mutex); - if (iwl_mvm_has_new_rx_api(mvm)) + if (iwl_mvm_has_new_rx_api(mvm)) { kfree(mvm_sta->dup_data); + mvm_sta->dup_data = NULL; + } ret = iwl_mvm_drain_sta(mvm, mvm_sta, true); if (ret)