[PATCH 03/15] wifi: iwlwifi: fix double-free bug

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
To: johannes@sipsolutions.net
Cc: linux-wireless@vger.kernel.org,
	Johannes Berg <johannes.berg@intel.com>,
	Guy Kaplan <guy.kaplan@intel.com>,
	Gregory Greenman <gregory.greenman@intel.com>
Subject: [PATCH 03/15] wifi: iwlwifi: fix double-free bug
Date: Tue, 23 Jan 2024 20:08:11 +0200	[thread overview]
Message-ID: <20240123200528.675f3c24ec0d.I6ab4015cd78d82dd95471f840629972ef0331de3@changeid> (raw)
In-Reply-To: <20240123180823.2441162-1-miriam.rachel.korenblit@intel.com>

From: Johannes Berg <johannes.berg@intel.com>

The storage for the TLV PC register data wasn't done like all
the other storage in the drv->fw area, which is cleared at the
end of deallocation. Therefore, the freeing must also be done
differently, explicitly NULL'ing it out after the free, since
otherwise there's a nasty double-free bug here if a file fails
to load after this has been parsed, and we get another free
later (e.g. because no other file exists.) Fix that by adding
the missing NULL assignment.

Fixes: a3b8008dc142 ("wifi: mac80211: move ps setting to vif config")
Reported-by: Guy Kaplan <guy.kaplan@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Reviewed-by: Gregory Greenman <gregory.greenman@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
---
 drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
index ffe2670720c9..abf8001bdac1 100644
--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
@@ -128,6 +128,7 @@ static void iwl_dealloc_ucode(struct iwl_drv *drv)
 	kfree(drv->fw.ucode_capa.cmd_versions);
 	kfree(drv->fw.phy_integration_ver);
 	kfree(drv->trans->dbg.pc_data);
+	drv->trans->dbg.pc_data = NULL;
 
 	for (i = 0; i < IWL_UCODE_TYPE_MAX; i++)
 		iwl_free_fw_img(drv, drv->fw.img + i);
-- 
2.34.1

next prev parent reply	other threads:[~2024-01-23 18:08 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-23 18:08 [PATCH 00/15] wifi: iwlwifi: updates - 2022-01-23 Miri Korenblit
2024-01-23 18:08 ` [PATCH 01/15] wifi: iwlwifi: add kunit test for devinfo ordering Miri Korenblit
2024-01-23 18:24   ` Johannes Berg
2024-01-23 18:08 ` [PATCH 02/15] wifi: iwlwifi: Add support for new 802.11be device Miri Korenblit
2024-01-23 18:08 ` Miri Korenblit [this message]
2024-01-23 18:08 ` [PATCH 04/15] wifi: iwlwifi: make TB reallocation a debug message Miri Korenblit
2024-01-23 18:08 ` [PATCH 05/15] wifi: iwlwifi: disable 160Mhz based on SSID Miri Korenblit
2024-01-24  3:45   ` Jeff Johnson
2024-01-23 18:08 ` [PATCH 06/15] wifi: iwlwifi: mvm: limit EHT 320 MHz MCS for STEP URM Miri Korenblit
2024-01-23 18:08 ` [PATCH 07/15] wifi: iwlwifi: remove retry loops in start Miri Korenblit
2024-01-23 18:08 ` [PATCH 08/15] wifi: iwlwifi: change link id in time event to s8 Miri Korenblit
2024-01-23 18:08 ` [PATCH 09/15] wifi: iwlwifi: nvm-parse: advertise common packet padding Miri Korenblit
2024-01-23 18:08 ` [PATCH 10/15] wifi: iwlwifi: skip affinity setting on non-SMP Miri Korenblit
2024-01-23 18:08 ` [PATCH 11/15] wifi: iwlwifi: mvm: skip adding debugfs symlink for reconfig Miri Korenblit
2024-01-23 18:08 ` [PATCH 12/15] wifi: iwlwifi: mvm: introduce PHY_CONTEXT_CMD_API_VER_5 Miri Korenblit
2024-01-23 18:08 ` [PATCH 13/15] wifi: iwlwifi: bump FW API to 87 for AX/BZ/SC devices Miri Korenblit
2024-01-23 18:08 ` [PATCH 14/15] wifi: iwlwifi: implement can_activate_links callback Miri Korenblit
2024-01-23 18:08 ` [PATCH 15/15] wifi: iwlwifi: add support for a wiphy_work rx handler Miri Korenblit

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:ffe2670720c dfblob:abf8001bdac
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240123200528.675f3c24ec0d.I6ab4015cd78d82dd95471f840629972ef0331de3@changeid \
    --to=miriam.rachel.korenblit@intel.com \
    --cc=gregory.greenman@intel.com \
    --cc=guy.kaplan@intel.com \
    --cc=johannes.berg@intel.com \
    --cc=johannes@sipsolutions.net \
    --cc=linux-wireless@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.