From 7c9e11f9b3798b1d3e56ba0c1e0578b303f315f2 Mon Sep 17 00:00:00 2001 From: Stefan Sperling Date: Sat, 12 Aug 2017 15:10:28 +0000 Subject: Prevent a NULL pointer deref in iwm(4) which I have seen during testing. iwm_stop() sets the phy context pointer in the ic_bss node to NULL. If iwm_stop() runs in parallel to the newstate task, the newstate task can dereference this pointer in iwn_update_quotas() or iwm_binding_cmd(). So check the pointer for NULL before derefencing. This is a quick and dirty workaround. A proper fix for such task races is still pending. --- sys/dev/pci/if_iwm.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/sys/dev/pci/if_iwm.c b/sys/dev/pci/if_iwm.c index ea2dc3b203b..cbbd16bcadc 100644 --- a/sys/dev/pci/if_iwm.c +++ b/sys/dev/pci/if_iwm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_iwm.c,v 1.205 2017/08/12 14:07:33 stsp Exp $ */ +/* $OpenBSD: if_iwm.c,v 1.206 2017/08/12 15:10:27 stsp Exp $ */ /* * Copyright (c) 2014, 2016 genua gmbh @@ -3599,6 +3599,9 @@ iwm_binding_cmd(struct iwm_softc *sc, struct iwm_node *in, uint32_t action) if (action == IWM_FW_CTXT_ACTION_REMOVE && !active) panic("binding already removed"); + if (phyctxt == NULL) /* XXX race with iwm_stop() */ + return EINVAL; + memset(&cmd, 0, sizeof(cmd)); cmd.id_and_color @@ -5292,7 +5295,7 @@ iwm_update_quotas(struct iwm_softc *sc, struct iwm_node *in, int running) memset(&cmd, 0, sizeof(cmd)); /* currently, PHY ID == binding ID */ - if (in) { + if (in && in->in_phyctxt) { id = in->in_phyctxt->id; KASSERT(id < IWM_MAX_BINDINGS); colors[id] = in->in_phyctxt->color; -- cgit v1.2.3