[PATCH AUTOSEL 4.20 010/304] ath10k: fixup extended per sta tx statistics

From: Sasha Levin
Date: Mon Jan 28 2019 - 12:52:27 EST


From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

[ Upstream commit 539b44e70c5b4ad82d2c0c97a4dfb37523d891f6 ]

I had a couple concerns with this code. First, we definitely need to
set the error code if the kzalloc() fails. Secondly, I was worried that
if we didn't set "arsta->tx_stats" to NULL after freeing it, then it
looks to me like it might lead to a use after free. I can't test that,
but it's harmless to set it to NULL so I did.

Fixes: a904417fc876 ("ath10k: add extended per sta tx statistics support")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/net/wireless/ath/ath10k/mac.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index 7e49342bae38..b4764fee4751 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -6296,8 +6296,10 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
if (ath10k_debug_is_extd_tx_stats_enabled(ar)) {
arsta->tx_stats = kzalloc(sizeof(*arsta->tx_stats),
GFP_KERNEL);
- if (!arsta->tx_stats)
+ if (!arsta->tx_stats) {
+ ret = -ENOMEM;
goto exit;
+ }
}

num_tdls_stations = ath10k_mac_tdls_vif_stations_count(hw, vif);
@@ -6385,8 +6387,10 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
"mac vdev %d peer delete %pM sta %pK (sta gone)\n",
arvif->vdev_id, sta->addr, sta);

- if (ath10k_debug_is_extd_tx_stats_enabled(ar))
+ if (ath10k_debug_is_extd_tx_stats_enabled(ar)) {
kfree(arsta->tx_stats);
+ arsta->tx_stats = NULL;
+ }

if (sta->tdls) {
ret = ath10k_mac_tdls_peer_update(ar, arvif->vdev_id,
--
2.19.1