On Sat, 2019-05-04 at 17:33 +0800, Jia-Ju Bai wrote: > In the error handling code of iwl_req_fw_callback(), > iwl_dealloc_ucode() > is called to free data. In iwl_drv_stop(), iwl_dealloc_ucode() is > called > again, which can cause double-free problems. > > To fix this bug, the call to iwl_dealloc_ucode() in > iwl_req_fw_callback() is deleted. > > This bug is found by a runtime fuzzing tool named FIZZER written by > us. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@xxxxxxxxx> > --- > drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c > b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c > index 689a65b11cc3..4fd1737d768b 100644 > --- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c > +++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c > @@ -1579,7 +1579,6 @@ static void iwl_req_fw_callback(const struct > firmware *ucode_raw, void *context) > goto free; > > out_free_fw: > - iwl_dealloc_ucode(drv); > release_firmware(ucode_raw); > out_unbind: > complete(&drv->request_firmware_complete); Thanks! Applied to our internal tree and will reach the mainline following our normal upstreaming process. -- Cheers, Luca.
