iwlwifi: plug memory modified after free

In certain situations we saw a memory modified after free.  This was
tracked down to a pointer not NULLed after free and used in a different
code path.  It is unclear how the race happens pending further
investigation but setting the pointer to NULL after free and adding a
check in the 2nd code path handling the case gracefully helps for now.

While here improve another debug messge in sta handling.

Sponsored by:	The FreeBSD Foundation
MFC after:	3 days

2 files changed, 7 insertions, 3 deletions

diff --git a/sys/contrib/dev/iwlwifi/mvm/rxmq.c b/sys/contrib/dev/iwlwifi/mvm/rxmq.c
index feb1afd65f87..a29cfbfc99a4 100644
--- a/sys/contrib/dev/iwlwifi/mvm/rxmq.c
+++ b/sys/contrib/dev/iwlwifi/mvm/rxmq.c
@@ -506,6 +506,8 @@ static bool iwl_mvm_is_dup(struct ieee80211_sta *sta, int queue,
 		return false;
 
 	mvm_sta = iwl_mvm_sta_from_mac80211(sta);
+	if (WARN_ON(mvm_sta->dup_data == NULL))
+		return false;
 	dup_data = &mvm_sta->dup_data[queue];
 
 	/*
diff --git a/sys/contrib/dev/iwlwifi/mvm/sta.c b/sys/contrib/dev/iwlwifi/mvm/sta.c
index f7f2263c3ca4..70267a6cd4b4 100644
--- a/sys/contrib/dev/iwlwifi/mvm/sta.c
+++ b/sys/contrib/dev/iwlwifi/mvm/sta.c
@@ -1734,8 +1734,8 @@ int iwl_mvm_drain_sta(struct iwl_mvm *mvm, struct iwl_mvm_sta *mvmsta,
 		break;
 	default:
 		ret = -EIO;
-		IWL_ERR(mvm, "Couldn't drain frames for staid %d\n",
-			mvmsta->sta_id);
+		IWL_ERR(mvm, "Couldn't drain frames for staid %d, status %#x\n",
+			mvmsta->sta_id, status);
 		break;
 	}
 
@@ -1835,8 +1835,10 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm,
 
 	lockdep_assert_held(&mvm->mutex);
 
-	if (iwl_mvm_has_new_rx_api(mvm))
+	if (iwl_mvm_has_new_rx_api(mvm)) {
 		kfree(mvm_sta->dup_data);
+		mvm_sta->dup_data = NULL;
+	}
 
 	ret = iwl_mvm_drain_sta(mvm, mvm_sta, true);
 	if (ret)