Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp447154ybl;
        Tue, 28 Jan 2020 06:08:42 -0800 (PST)
X-Google-Smtp-Source: APXvYqxL6DIUNLoLanjy+Vue853l8S6zZcoEVVA6iDfYm3iWbX30MKlfU0frB3k9kTZ3tWpvzF5K
X-Received: by 2002:a05:6830:22e2:: with SMTP id t2mr16826360otc.129.1580220522227;
        Tue, 28 Jan 2020 06:08:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1580220522; cv=none;
        d=google.com; s=arc-20160816;
        b=VgrAnJvYNhI3oCxvZC0S+5iIONWagmh1Y+PVMRFg0AN59qIOd+wbY3I0UkDARy+Kip
         S4eB4k+P/8p6jUcPzEebTq914D/lBl0B0O9EsP7AjGn2WBHaBSx5pFOlJTOFX/pMZRwH
         GYnGMlkhGt+nzOuTPNWBf7DaqWr/ormICpiVp0F7v4njPlZFsp926IWwGf4/ujhx9UQ8
         C4yTCNSHpXq1txX8S0lnVppItOJoXmKHPv9PHJcMWbi2BZMg6xDRZmyKz4oBXyCSm9lR
         XGbkzDPvsFX4VjAt7jHI0ZzLKGlNck5ie55x7OcKFDJV+q6jDnNGoaY8GxQrmuHF0gXP
         fU1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=kQpkAtKVtDz2tJ/WtaUFiISOwdE/Nt+kGhNlmScwNMU=;
        b=ngUPJs7MJLfIuyEhtJbJtJmpE1bIc0cosnsf7essOSmIsZjzvdd2GxqK6YtzK8Q4fb
         EPCb2gNiMcSjkXJBD9Ff3nmIILYOyhmoW0Q+JV4o2kM4lMCVxh6YvLl5dDnxE5zQKQyo
         KcSKVzKokAV3wU0UPVaFVuTeCv17IQiohjqUSDFQYDjlLEjvMVq1OyEe/n6yoNLWfy82
         qD65l7tGjoNpyAz1WVRF/5G4h/s5WBbEBLxa+7TZzJ8HC/S2kTu9uP5zSRv04z6lxvTo
         MObgU8eSEaAoT7UOtgNbOvdPRyX3eR553G8VBQaFvVrTGStvlP23oFqfgN207paZ5CZ0
         WKag==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=Lsv0WtS+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k8si2948644otp.69.2020.01.28.06.08.25;
        Tue, 28 Jan 2020 06:08:42 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=Lsv0WtS+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727336AbgA1OGA (ORCPT <rfc822;epopevad@gmail.com> + 99 others);
        Tue, 28 Jan 2020 09:06:00 -0500
Received: from mail.kernel.org ([198.145.29.99]:52966 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728254AbgA1OFY (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 Jan 2020 09:05:24 -0500
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 590F124691;
        Tue, 28 Jan 2020 14:05:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1580220322;
        bh=GJg9d1r4pYUfl27AEWO0u5jB0pOqYWZhP3ZhkRWf2ms=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=Lsv0WtS+z6cdmVnj6Ku5Arsa80eWY/FUNDGddrmsIrFdVXUzyBlcus37bDAW5CnoE
         lnJfiT6oUdw6J2J+gHfdFmlR6/nu0TJsa9K8Ri0rcsXCmf+R5jt6LYZOgiL7v31o7m
         nVLjyr9R+J1bVF66mgV+O2L/DdUV8MeFvCj8YLVU=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Johannes Berg <johannes.berg@intel.com>,
        Luca Coelho <luciano.coelho@intel.com>
Subject: [PATCH 5.4 081/104] iwlwifi: mvm: fix potential SKB leak on TXQ TX
Date:   Tue, 28 Jan 2020 15:00:42 +0100
Message-Id: <20200128135828.374903351@linuxfoundation.org>
X-Mailer: git-send-email 2.25.0
In-Reply-To: <20200128135817.238524998@linuxfoundation.org>
References: <20200128135817.238524998@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Johannes Berg <johannes.berg@intel.com>

commit df2378ab0f2a9dd4cf4501268af1902cc4ebacd8 upstream.

When we transmit after TXQ dequeue, we aren't paying attention to
the return value of the transmit functions, leading to a potential
SKB leak.

Refactor the code a bit (and rename ..._tx to ..._tx_sta) to check
for this happening.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Fixes: cfbc6c4c5b91 ("iwlwifi: mvm: support mac80211 TXQs model")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c |   28 ++++++++++++----------
 drivers/net/wireless/intel/iwlwifi/mvm/mvm.h      |    4 +--
 drivers/net/wireless/intel/iwlwifi/mvm/tx.c       |    4 +--
 3 files changed, 20 insertions(+), 16 deletions(-)

--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
@@ -742,6 +742,20 @@ int iwl_mvm_mac_setup_register(struct iw
 	return ret;
 }
 
+static void iwl_mvm_tx_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
+			   struct ieee80211_sta *sta)
+{
+	if (likely(sta)) {
+		if (likely(iwl_mvm_tx_skb_sta(mvm, skb, sta) == 0))
+			return;
+	} else {
+		if (likely(iwl_mvm_tx_skb_non_sta(mvm, skb) == 0))
+			return;
+	}
+
+	ieee80211_free_txskb(mvm->hw, skb);
+}
+
 static void iwl_mvm_mac_tx(struct ieee80211_hw *hw,
 			   struct ieee80211_tx_control *control,
 			   struct sk_buff *skb)
@@ -785,14 +799,7 @@ static void iwl_mvm_mac_tx(struct ieee80
 		}
 	}
 
-	if (sta) {
-		if (iwl_mvm_tx_skb(mvm, skb, sta))
-			goto drop;
-		return;
-	}
-
-	if (iwl_mvm_tx_skb_non_sta(mvm, skb))
-		goto drop;
+	iwl_mvm_tx_skb(mvm, skb, sta);
 	return;
  drop:
 	ieee80211_free_txskb(hw, skb);
@@ -842,10 +849,7 @@ void iwl_mvm_mac_itxq_xmit(struct ieee80
 				break;
 			}
 
-			if (!txq->sta)
-				iwl_mvm_tx_skb_non_sta(mvm, skb);
-			else
-				iwl_mvm_tx_skb(mvm, skb, txq->sta);
+			iwl_mvm_tx_skb(mvm, skb, txq->sta);
 		}
 	} while (atomic_dec_return(&mvmtxq->tx_request));
 	rcu_read_unlock();
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
@@ -1508,8 +1508,8 @@ int __must_check iwl_mvm_send_cmd_status
 int __must_check iwl_mvm_send_cmd_pdu_status(struct iwl_mvm *mvm, u32 id,
 					     u16 len, const void *data,
 					     u32 *status);
-int iwl_mvm_tx_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
-		   struct ieee80211_sta *sta);
+int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
+		       struct ieee80211_sta *sta);
 int iwl_mvm_tx_skb_non_sta(struct iwl_mvm *mvm, struct sk_buff *skb);
 void iwl_mvm_set_tx_cmd(struct iwl_mvm *mvm, struct sk_buff *skb,
 			struct iwl_tx_cmd *tx_cmd,
--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
@@ -1203,8 +1203,8 @@ drop:
 	return -1;
 }
 
-int iwl_mvm_tx_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
-		   struct ieee80211_sta *sta)
+int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
+		       struct ieee80211_sta *sta)
 {
 	struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
 	struct ieee80211_tx_info info;