Commit 353d321f authored by Johannes Berg's avatar Johannes Berg

wifi: iwlwifi: fix double-free bug

The storage for the TLV PC register data wasn't done like all
the other storage in the drv->fw area, which is cleared at the
end of deallocation. Therefore, the freeing must also be done
differently, explicitly NULL'ing it out after the free, since
otherwise there's a nasty double-free bug here if a file fails
to load after this has been parsed, and we get another free
later (e.g. because no other file exists.) Fix that by adding
the missing NULL assignment.

Cc: stable@vger.kernel.org
Fixes: 5e31b3df ("wifi: iwlwifi: dbg: print pc register data once fw dump occurred")
Reported-by: default avatarGuy Kaplan <guy.kaplan@intel.com>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
Reviewed-by: default avatarGregory Greenman <gregory.greenman@intel.com>
Signed-off-by: default avatarMiri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20240123200528.675f3c24ec0d.I6ab4015cd78d82dd95471f840629972ef0331de3@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent 9b3058d1
...@@ -128,6 +128,7 @@ static void iwl_dealloc_ucode(struct iwl_drv *drv) ...@@ -128,6 +128,7 @@ static void iwl_dealloc_ucode(struct iwl_drv *drv)
kfree(drv->fw.ucode_capa.cmd_versions); kfree(drv->fw.ucode_capa.cmd_versions);
kfree(drv->fw.phy_integration_ver); kfree(drv->fw.phy_integration_ver);
kfree(drv->trans->dbg.pc_data); kfree(drv->trans->dbg.pc_data);
drv->trans->dbg.pc_data = NULL;
for (i = 0; i < IWL_UCODE_TYPE_MAX; i++) for (i = 0; i < IWL_UCODE_TYPE_MAX; i++)
iwl_free_fw_img(drv, drv->fw.img + i); iwl_free_fw_img(drv, drv->fw.img + i);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment