Received: by 2002:a05:7412:5112:b0:fa:6e18:a558 with SMTP id fm18csp655199rdb;
        Tue, 23 Jan 2024 10:27:32 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGv2s25BAxD3YCtgf/HlbSo90/bg92BlNQfuWnIzYX5p/4mfyxTXRS3ruQrLZp5LnHd/620
X-Received: by 2002:a05:6402:3c3:b0:55c:4f20:3098 with SMTP id t3-20020a05640203c300b0055c4f203098mr1136411edw.49.1706034452707;
        Tue, 23 Jan 2024 10:27:32 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706034452; cv=pass;
        d=google.com; s=arc-20160816;
        b=BuRmwuwEaEOYCgUHrWbHkmsTNkkf8eiGwNiZkyC434QSiiAY24C74NqBRWNimaTDPB
         jEFD41FS8ceUh+/xCoh73oqeB339HlRFtgv9LxWl1/xnViHrLMrzJubuCaaYQa609y/N
         BG2uQkDQ1exWqfaeZmMOOZGsIL3zj22KGVtH+sSvT92Sgy0FYzjCOzXEFbWm5eoVxdOD
         n/w01NzexkMjnqZIaRW8YOIXvk7L+Nyn7gND8o+c4UjJD9l5HASUJJHMdnE/VN2sEsLO
         3VmkT/Dvug3aowTNZGUicw2suZzTlqyabd/bmtBi2WGWnx6H8vClMBId0LM2G0ak+fgO
         kc9g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:organization:mime-version
         :list-unsubscribe:list-subscribe:list-id:precedence:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature;
        bh=1yCXgzTZR6X8/vuU2bcGTgbncBbOVq2WWN8Hj8oGW5I=;
        fh=r0fvxjxKA4PNGPN/vBBVcPLBtiRZnq3P7U7qr4rgZfY=;
        b=F+6vVk8571lApyr1HDqJj1o546gtak0l5/1wZW6maEierhL0cVkgq+ETK051k+ncVV
         DOitdXAsZzJU+6v6LOGV2hWxZXfUxmU7wrc+57V6MATgVuR8LinhL4KwmfX6W5W7xgZV
         KTTlBfnjhRSJ8VFOJADtHoHQbsSrZuoGoxUP6xuhSnswk8Ey7iQAe/jWywcf5SBxkyc7
         eO8RaPpzZmF+nJaPzyll5I6EzprjpziQaZkr4+gCVA8xw1a4wC6RrsQPE0PGUUOmmgRy
         RzYbx+cMX7AHPDYbbfEIyvyZI9P2aPjYAEjevY7UP3lBiNH3XU57vKGf5KNUkYHQVIDt
         /R3g==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=YTAF76c3;
       arc=pass (i=1 spf=pass spfdomain=intel.com dkim=pass dkdomain=intel.com dmarc=pass fromdomain=intel.com);
       spf=pass (google.com: domain of linux-wireless+bounces-2398-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-wireless+bounces-2398-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-wireless+bounces-2398-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id i13-20020a05640242cd00b005538fc8a3f1si12608952edc.260.2024.01.23.10.27.32
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 23 Jan 2024 10:27:32 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-wireless+bounces-2398-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=YTAF76c3;
       arc=pass (i=1 spf=pass spfdomain=intel.com dkim=pass dkdomain=intel.com dmarc=pass fromdomain=intel.com);
       spf=pass (google.com: domain of linux-wireless+bounces-2398-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-wireless+bounces-2398-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 1D3E51F2C82F
	for <linux.lists.archive@gmail.com>; Tue, 23 Jan 2024 18:09:21 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 760E781AAB;
	Tue, 23 Jan 2024 18:08:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="YTAF76c3"
X-Original-To: linux-wireless@vger.kernel.org
Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.13])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD0E981211
	for <linux-wireless@vger.kernel.org>; Tue, 23 Jan 2024 18:08:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.13
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1706033330; cv=none; b=UeL6W0bM0SUJNgxO3okkDwD3gpEts1cXxlUNqvZRshG4r7kEp5h7LDr24JTA3gV0SEdJy3umxL5goYVUU9sRypRqkZgY4llQVY3Xtv9yw0VdG3ho0qJ1MaQ2t2OKy4R/VwZhNU2brvfGguEhDnJcMK9Kkuw4OS4kZYrU4NQnPsM=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1706033330; c=relaxed/simple;
	bh=iwgU0p9i0rodI4rgTUyjNC3Gf3GTZzZkm2fYOJ1FAEM=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version; b=fJ+/OArtRBkzJxYVsctGI4IbwoeJ73IE+nm+USKctqXiu2KtY7FRdaHhYD9S7JIo1UO1eNrd9NXT0wVPOKAyTlMDrJ7SEXbuH/j3ymdEl1UvVOvUcqknjvO4sSTvYMUZRuaRghqVvzQYpNpVzx5CJMeju6kRUQPifG/2gW3LrF8=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=YTAF76c3; arc=none smtp.client-ip=192.198.163.13
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1706033329; x=1737569329;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=iwgU0p9i0rodI4rgTUyjNC3Gf3GTZzZkm2fYOJ1FAEM=;
  b=YTAF76c3G65tDtvsnEV/3vtWGev/N5qLJ9TqoXmi7Prvq/8f7T8SnKbq
   VNgqyR8eXPU6lHihi3NbkmlMczoraVwjlZ+RoGp6ruyFSgPd3aPaXTfIg
   v5V2xhKjdiPorbvYyo6R24OauSI0rCbHnQONveJWHmH9DkNoUK7JFQmKW
   2KKep0s7yuwI+A8WUaBIAIBy05tU7JLqjQFFJRWjjSPFvpF3zWSbcPLPP
   rr6TS9ZreO0kN3Ge1yX3GDEmPsdcNja69+GJxySeTlO+PRCW1zK57Hjon
   lMK4XFiPDlAgvwz3rmDyLOXVXt1jYlveFbEvbjXRb/yolMqHgB3YlmRh/
   Q==;
X-IronPort-AV: E=McAfee;i="6600,9927,10962"; a="501709"
X-IronPort-AV: E=Sophos;i="6.05,215,1701158400"; 
   d="scan'208";a="501709"
Received: from orviesa003.jf.intel.com ([10.64.159.143])
  by fmvoesa107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Jan 2024 10:08:49 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.05,215,1701158400"; 
   d="scan'208";a="1666470"
Received: from unknown (HELO WEIS0040.iil.intel.com) ([10.12.217.108])
  by ORVIESA003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Jan 2024 10:08:46 -0800
From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
To: johannes@sipsolutions.net
Cc: linux-wireless@vger.kernel.org,
	Johannes Berg <johannes.berg@intel.com>,
	Guy Kaplan <guy.kaplan@intel.com>,
	Gregory Greenman <gregory.greenman@intel.com>
Subject: [PATCH 03/15] wifi: iwlwifi: fix double-free bug
Date: Tue, 23 Jan 2024 20:08:11 +0200
Message-Id: <20240123200528.675f3c24ec0d.I6ab4015cd78d82dd95471f840629972ef0331de3@changeid>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240123180823.2441162-1-miriam.rachel.korenblit@intel.com>
References: <20240123180823.2441162-1-miriam.rachel.korenblit@intel.com>
Precedence: bulk
X-Mailing-List: linux-wireless@vger.kernel.org
List-Id: <linux-wireless.vger.kernel.org>
List-Subscribe: <mailto:linux-wireless+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-wireless+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Organization: Intel Israel (74) Limited
Content-Transfer-Encoding: 8bit

From: Johannes Berg <johannes.berg@intel.com>

The storage for the TLV PC register data wasn't done like all
the other storage in the drv->fw area, which is cleared at the
end of deallocation. Therefore, the freeing must also be done
differently, explicitly NULL'ing it out after the free, since
otherwise there's a nasty double-free bug here if a file fails
to load after this has been parsed, and we get another free
later (e.g. because no other file exists.) Fix that by adding
the missing NULL assignment.

Fixes: a3b8008dc142 ("wifi: mac80211: move ps setting to vif config")
Reported-by: Guy Kaplan <guy.kaplan@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Reviewed-by: Gregory Greenman <gregory.greenman@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
---
 drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
index ffe2670720c9..abf8001bdac1 100644
--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
@@ -128,6 +128,7 @@ static void iwl_dealloc_ucode(struct iwl_drv *drv)
 	kfree(drv->fw.ucode_capa.cmd_versions);
 	kfree(drv->fw.phy_integration_ver);
 	kfree(drv->trans->dbg.pc_data);
+	drv->trans->dbg.pc_data = NULL;
 
 	for (i = 0; i < IWL_UCODE_TYPE_MAX; i++)
 		iwl_free_fw_img(drv, drv->fw.img + i);
-- 
2.34.1