git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Johannes Berg <johannes.berg@intel.com>
	Tue, 23 Jan 2024 18:08:11 +0000 (20:08 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 23 Feb 2024 08:25:12 +0000 (09:25 +0100)
commit	ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad
tree	d32f24c7acdaa7690d46b5d00e821f3e5aaa1c67	tree
parent	080da821b2c5cfacdeb61d8b416429ec8879186c	commit \| diff

wifi: iwlwifi: fix double-free bug

commit 353d321f63f7dbfc9ef58498cc732c9fe886a596 upstream.

The storage for the TLV PC register data wasn't done like all
the other storage in the drv->fw area, which is cleared at the
end of deallocation. Therefore, the freeing must also be done
differently, explicitly NULL'ing it out after the free, since
otherwise there's a nasty double-free bug here if a file fails
to load after this has been parsed, and we get another free
later (e.g. because no other file exists.) Fix that by adding
the missing NULL assignment.

Cc: stable@vger.kernel.org
Fixes: 5e31b3df86ec ("wifi: iwlwifi: dbg: print pc register data once fw dump occurred")
Reported-by: Guy Kaplan <guy.kaplan@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Reviewed-by: Gregory Greenman <gregory.greenman@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20240123200528.675f3c24ec0d.I6ab4015cd78d82dd95471f840629972ef0331de3@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>