iwlwifi: plug memory modified after free
In certain situations we saw a memory modified after free. This was tracked down to a pointer not NULLed after free and used in a different code path. It is unclear how the race happens pending further investigation but setting the pointer to NULL after free and adding a check in the 2nd code path handling the case gracefully helps for now. While here improve another debug messge in sta handling. Sponsored by: The FreeBSD Foundation MFC after: 3 days
This commit is contained in:
parent
8f06a2b550
commit
586c8e3233
|
@ -506,6 +506,8 @@ static bool iwl_mvm_is_dup(struct ieee80211_sta *sta, int queue,
|
|||
return false;
|
||||
|
||||
mvm_sta = iwl_mvm_sta_from_mac80211(sta);
|
||||
if (WARN_ON(mvm_sta->dup_data == NULL))
|
||||
return false;
|
||||
dup_data = &mvm_sta->dup_data[queue];
|
||||
|
||||
/*
|
||||
|
|
|
@ -1734,8 +1734,8 @@ int iwl_mvm_drain_sta(struct iwl_mvm *mvm, struct iwl_mvm_sta *mvmsta,
|
|||
break;
|
||||
default:
|
||||
ret = -EIO;
|
||||
IWL_ERR(mvm, "Couldn't drain frames for staid %d\n",
|
||||
mvmsta->sta_id);
|
||||
IWL_ERR(mvm, "Couldn't drain frames for staid %d, status %#x\n",
|
||||
mvmsta->sta_id, status);
|
||||
break;
|
||||
}
|
||||
|
||||
|
@ -1835,8 +1835,10 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm,
|
|||
|
||||
lockdep_assert_held(&mvm->mutex);
|
||||
|
||||
if (iwl_mvm_has_new_rx_api(mvm))
|
||||
if (iwl_mvm_has_new_rx_api(mvm)) {
|
||||
kfree(mvm_sta->dup_data);
|
||||
mvm_sta->dup_data = NULL;
|
||||
}
|
||||
|
||||
ret = iwl_mvm_drain_sta(mvm, mvm_sta, true);
|
||||
if (ret)
|
||||
|
|
Loading…
Reference in New Issue