Fri Aug 18 14:58:15 2017 UTC ()

Pull up following revision(s) (requested by mrg in ticket #1473):
	sys/dev/pci/if_ipw.c: revision 1.65 via patch
Null out sbuf->m on failure to avoid double-free later.
From Ilja Van Sprundel.
Also null out sbuf->map out of paranoia.


(snj)

diff -r1.53 -r1.53.2.1 src/sys/dev/pci/if_ipw.c

--- src/sys/dev/pci/if_ipw.c 2012/01/30 19:41:20	1.53
+++ src/sys/dev/pci/if_ipw.c 2017/08/18 14:58:15	1.53.2.1

 @@ -1,14 +1,14 @@
-/*	$NetBSD: if_ipw.c,v 1.53 2012/01/30 19:41:20 drochner Exp $	*/
+/*	$NetBSD: if_ipw.c,v 1.53.2.1 2017/08/18 14:58:15 snj Exp $	*/
 /*	FreeBSD: src/sys/dev/ipw/if_ipw.c,v 1.15 2005/11/13 17:17:40 damien Exp 	*/
 /*-
  * Copyright (c) 2004, 2005
  *      Damien Bergamini <damien.bergamini@free.fr>. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice unmodified, this list of conditions, and the following
  *    disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
 @@ -19,27 +19,27 @@
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.53 2012/01/30 19:41:20 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.53.2.1 2017/08/18 14:58:15 snj Exp $");
 /*-
  * Intel(R) PRO/Wireless 2100 MiniPCI driver
  * http://www.intel.com/network/connectivity/products/wireless/prowireless_mobile.htm
  */
 #include <sys/param.h>
 #include <sys/sockio.h>
 #include <sys/sysctl.h>
 #include <sys/mbuf.h>
 #include <sys/kernel.h>
 #include <sys/socket.h>
 @@ -580,46 +580,50 @@ ipw_dma_alloc(struct ipw_softc *sc)
 		sbuf = &sc->rx_sbuf_list[i];
 		sbd->bd = &sc->rbd_list[i];
 		MGETHDR(sbuf->m, M_DONTWAIT, MT_DATA);
 		if (sbuf->m == NULL) {
 			aprint_error_dev(&sc->sc_dev, "could not allocate rx mbuf\n");
 			error = ENOMEM;
 			goto fail;
+		}
 		MCLGET(sbuf->m, M_DONTWAIT);
 		if (!(sbuf->m->m_flags & M_EXT)) {
 			m_freem(sbuf->m);
 			sbuf->m = NULL;
 			aprint_error_dev(&sc->sc_dev, "could not allocate rx mbuf cluster\n");
 			error = ENOMEM;
 			goto fail;
+		}
 		sbuf->m->m_pkthdr.len = sbuf->m->m_len = sbuf->m->m_ext.ext_size;
 		error = bus_dmamap_create(sc->sc_dmat, MCLBYTES, 1, MCLBYTES,
 , BUS_DMA_NOWAIT | BUS_DMA_ALLOCNOW, &sbuf->map);
 		if (error != 0) {
 			aprint_error_dev(&sc->sc_dev, "could not create rxbuf dma map\n");
 			m_freem(sbuf->m);
 			sbuf->m = NULL;
 			goto fail;
+		}
 		error = bus_dmamap_load_mbuf(sc->sc_dmat, sbuf->map,
 		    sbuf->m, BUS_DMA_READ | BUS_DMA_NOWAIT);
 		if (error != 0) {
 			bus_dmamap_destroy(sc->sc_dmat, sbuf->map);
 			sbuf->map = NULL;
 			m_freem(sbuf->m);
 			sbuf->m = NULL;
 			aprint_error_dev(&sc->sc_dev, "could not map rxbuf dma memory\n");
 			goto fail;
+		}
 		sbd->type = IPW_SBD_TYPE_DATA;
 		sbd->priv = sbuf;
 		sbd->bd->physaddr = htole32(sbuf->map->dm_segs[0].ds_addr);
 		sbd->bd->len = htole32(MCLBYTES);
 		bus_dmamap_sync(sc->sc_dmat, sbuf->map, 0,
 		    sbuf->map->dm_mapsize, BUS_DMASYNC_PREREAD);
+	}