iwlwifi: plug memory modified after free

In certain situations we saw a memory modified after free. This was tracked down to a pointer not NULLed after free and used in a different code path. It is unclear how the race happens pending further investigation but setting the pointer to NULL after free and adding a check in the 2nd code path handling the case gracefully helps for now. While here improve another debug messge in sta handling. Sponsored by: The FreeBSD Foundation MFC after: 3 days
2021-12-27 17:42:51 +00:00 · 2021-12-27 17:42:51 +00:00 · 586c8e3233
commit 586c8e3233
parent 8f06a2b550
2 changed files with 7 additions and 3 deletions
--- a/sys/contrib/dev/iwlwifi/mvm/rxmq.c
+++ b/sys/contrib/dev/iwlwifi/mvm/rxmq.c
@ -506,6 +506,8 @@ static bool iwl_mvm_is_dup(struct ieee80211_sta *sta, int queue,
 		return false;

 	mvm_sta = iwl_mvm_sta_from_mac80211(sta);
+	if (WARN_ON(mvm_sta->dup_data == NULL))
+		return false;
 	dup_data = &mvm_sta->dup_data[queue];

 	/*
--- a/sys/contrib/dev/iwlwifi/mvm/sta.c
+++ b/sys/contrib/dev/iwlwifi/mvm/sta.c
@ -1734,8 +1734,8 @@ int iwl_mvm_drain_sta(struct iwl_mvm *mvm, struct iwl_mvm_sta *mvmsta,
 		break;
 	default:
 		ret = -EIO;
-		IWL_ERR(mvm, "Couldn't drain frames for staid %d\n",
-			mvmsta->sta_id);
+		IWL_ERR(mvm, "Couldn't drain frames for staid %d, status %#x\n",
+			mvmsta->sta_id, status);
 		break;
 	}

@ -1835,8 +1835,10 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm,

 	lockdep_assert_held(&mvm->mutex);

-	if (iwl_mvm_has_new_rx_api(mvm))
+	if (iwl_mvm_has_new_rx_api(mvm)) {
 		kfree(mvm_sta->dup_data);
+		mvm_sta->dup_data = NULL;
+	}

 	ret = iwl_mvm_drain_sta(mvm, mvm_sta, true);
 	if (ret)