iwlwifi: mvm: fix reserved txq freeing

If a TXQ's marking as a reserved queue is removed,
when removing the STA the driver might try to access
out of bounds memory. Make sure the reserved queue
is freed only if it is still reserved.

Signed-off-by: Liad Kaufman <liad.kaufman@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
index a65030f4019dba7ea0d6c2ede1c4924df2d5eba3..c9dcb70cb525ed2d3198bcec4978e5481d142f55 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
@@ -1494,12 +1494,15 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm,
                ret = iwl_mvm_drain_sta(mvm, mvm_sta, false);
 
                /* If DQA is supported - the queues can be disabled now */
-               if (iwl_mvm_is_dqa_supported(mvm)) {
+               if (iwl_mvm_is_dqa_supported(mvm))
+                       iwl_mvm_disable_sta_queues(mvm, vif, mvm_sta);
+
+               /* If there is a TXQ still marked as reserved - free it */
+               if (iwl_mvm_is_dqa_supported(mvm) &&
+                   mvm_sta->reserved_queue != IEEE80211_INVAL_HW_QUEUE) {
                        u8 reserved_txq = mvm_sta->reserved_queue;
                        enum iwl_mvm_queue_status *status;
 
-                       iwl_mvm_disable_sta_queues(mvm, vif, mvm_sta);
-
                        /*
                         * If no traffic has gone through the reserved TXQ - it
                         * is still marked as IWL_MVM_QUEUE_RESERVED, and