Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Dec 2018 15:49:14 +0000 (UTC)
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r341990 - head/sys/dev/bwn
Message-ID:  <201812121549.wBCFnEmM005877@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: markj
Date: Wed Dec 12 15:49:14 2018
New Revision: 341990
URL: https://svnweb.freebsd.org/changeset/base/341990

Log:
  Fix a possible mbuf double free in bwn_dma_tx_start().
  
  If bus_dmamap_load_mbuf() fails following a defrag, the caller of
  bwn_dma_tx_start() would free the original mbuf after m_defrag() had
  already done so.  Fix this by returning the defragged mbuf to the
  caller instead.  Update bwn_pio_tx_start() similarly for consistency.
  
  Reported by:	Ilja Van Sprundel <ivansprundel@ioactive.com>
  Reviewed by:	landonf
  Tested by:	landonf
  MFC after:	3 days
  admbug:		820
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D18342

Modified:
  head/sys/dev/bwn/if_bwn.c

Modified: head/sys/dev/bwn/if_bwn.c
==============================================================================
--- head/sys/dev/bwn/if_bwn.c	Wed Dec 12 15:23:40 2018	(r341989)
+++ head/sys/dev/bwn/if_bwn.c	Wed Dec 12 15:49:14 2018	(r341990)
@@ -209,7 +209,7 @@ static void	bwn_pio_rx_write_2(struct bwn_pio_rxqueue 
 static void	bwn_pio_rx_write_4(struct bwn_pio_rxqueue *, uint16_t,
 		    uint32_t);
 static int	bwn_pio_tx_start(struct bwn_mac *, struct ieee80211_node *,
-		    struct mbuf *);
+		    struct mbuf **);
 static struct bwn_pio_txqueue *bwn_pio_select(struct bwn_mac *, uint8_t);
 static uint32_t	bwn_pio_write_multi_4(struct bwn_mac *,
 		    struct bwn_pio_txqueue *, uint32_t, const void *, int);
@@ -273,7 +273,7 @@ static void	bwn_ratectl_tx_complete(const struct ieee8
 static void	bwn_dma_handle_txeof(struct bwn_mac *,
 		    const struct bwn_txstatus *);
 static int	bwn_dma_tx_start(struct bwn_mac *, struct ieee80211_node *,
-		    struct mbuf *);
+		    struct mbuf **);
 static int	bwn_dma_getslot(struct bwn_dma_ring *);
 static struct bwn_dma_ring *bwn_dma_select(struct bwn_mac *,
 		    uint8_t);
@@ -1068,7 +1068,7 @@ bwn_tx_start(struct bwn_softc *sc, struct ieee80211_no
 	}
 
 	error = (mac->mac_flags & BWN_MAC_FLAG_DMA) ?
-	    bwn_dma_tx_start(mac, ni, m) : bwn_pio_tx_start(mac, ni, m);
+	    bwn_dma_tx_start(mac, ni, &m) : bwn_pio_tx_start(mac, ni, &m);
 	if (error) {
 		m_freem(m);
 		return (error);
@@ -1077,13 +1077,14 @@ bwn_tx_start(struct bwn_softc *sc, struct ieee80211_no
 }
 
 static int
-bwn_pio_tx_start(struct bwn_mac *mac, struct ieee80211_node *ni, struct mbuf *m)
+bwn_pio_tx_start(struct bwn_mac *mac, struct ieee80211_node *ni,
+    struct mbuf **mp)
 {
 	struct bwn_pio_txpkt *tp;
-	struct bwn_pio_txqueue *tq = bwn_pio_select(mac, M_WME_GETAC(m));
+	struct bwn_pio_txqueue *tq;
 	struct bwn_softc *sc = mac->mac_sc;
 	struct bwn_txhdr txhdr;
-	struct mbuf *m_new;
+	struct mbuf *m, *m_new;
 	uint32_t ctl32;
 	int error;
 	uint16_t ctl16;
@@ -1092,6 +1093,8 @@ bwn_pio_tx_start(struct bwn_mac *mac, struct ieee80211
 
 	/* XXX TODO send packets after DTIM */
 
+	m = *mp;
+	tq = bwn_pio_select(mac, M_WME_GETAC(m));
 	KASSERT(!TAILQ_EMPTY(&tq->tq_pktlist), ("%s: fail", __func__));
 	tp = TAILQ_FIRST(&tq->tq_pktlist);
 	tp->tp_ni = ni;
@@ -1111,13 +1114,14 @@ bwn_pio_tx_start(struct bwn_mac *mac, struct ieee80211
 		/*
 		 * XXX please removes m_defrag(9)
 		 */
-		m_new = m_defrag(m, M_NOWAIT);
+		m_new = m_defrag(*mp, M_NOWAIT);
 		if (m_new == NULL) {
 			device_printf(sc->sc_dev,
 			    "%s: can't defrag TX buffer\n",
 			    __func__);
 			return (ENOBUFS);
 		}
+		*mp = m_new;
 		if (m_new->m_next != NULL)
 			device_printf(sc->sc_dev,
 			    "TODO: fragmented packets for PIO\n");
@@ -1168,15 +1172,17 @@ bwn_pio_select(struct bwn_mac *mac, uint8_t prio)
 }
 
 static int
-bwn_dma_tx_start(struct bwn_mac *mac, struct ieee80211_node *ni, struct mbuf *m)
+bwn_dma_tx_start(struct bwn_mac *mac, struct ieee80211_node *ni,
+    struct mbuf **mp)
 {
 #define	BWN_GET_TXHDRCACHE(slot)					\
 	&(txhdr_cache[(slot / BWN_TX_SLOTS_PER_FRAME) * BWN_HDRSIZE(mac)])
 	struct bwn_dma *dma = &mac->mac_method.dma;
-	struct bwn_dma_ring *dr = bwn_dma_select(mac, M_WME_GETAC(m));
+	struct bwn_dma_ring *dr = bwn_dma_select(mac, M_WME_GETAC(*mp));
 	struct bwn_dmadesc_generic *desc;
 	struct bwn_dmadesc_meta *mt;
 	struct bwn_softc *sc = mac->mac_sc;
+	struct mbuf *m;
 	uint8_t *txhdr_cache = (uint8_t *)dr->dr_txhdr_cache;
 	int error, slot, backup[2] = { dr->dr_curslot, dr->dr_usedslot };
 
@@ -1185,6 +1191,7 @@ bwn_dma_tx_start(struct bwn_mac *mac, struct ieee80211
 
 	/* XXX send after DTIM */
 
+	m = *mp;
 	slot = bwn_dma_getslot(dr);
 	dr->getdesc(dr, slot, &desc, &mt);
 	KASSERT(mt->mt_txtype == BWN_DMADESC_METATYPE_HEADER,
@@ -1233,9 +1240,8 @@ bwn_dma_tx_start(struct bwn_mac *mac, struct ieee80211
 			    __func__);
 			error = ENOBUFS;
 			goto fail;
-		} else {
-			m = m_new;
 		}
+		*mp = m = m_new;
 
 		mt->mt_m = m;
 		error = bus_dmamap_load_mbuf(dma->txbuf_dtag, mt->mt_dmap,



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812121549.wBCFnEmM005877>