This is a note to let you know that I've just added the patch titled
wifi: iwlwifi: fix double-free bug
to the 6.7-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
wifi-iwlwifi-fix-double-free-bug.patch
and it can be found in the queue-6.7 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 353d321f63f7dbfc9ef58498cc732c9fe886a596 Mon Sep 17 00:00:00 2001
From: Johannes Berg <johannes.berg@xxxxxxxxx>
Date: Tue, 23 Jan 2024 20:08:11 +0200
Subject: wifi: iwlwifi: fix double-free bug
From: Johannes Berg <johannes.berg@xxxxxxxxx>
commit 353d321f63f7dbfc9ef58498cc732c9fe886a596 upstream.
The storage for the TLV PC register data wasn't done like all
the other storage in the drv->fw area, which is cleared at the
end of deallocation. Therefore, the freeing must also be done
differently, explicitly NULL'ing it out after the free, since
otherwise there's a nasty double-free bug here if a file fails
to load after this has been parsed, and we get another free
later (e.g. because no other file exists.) Fix that by adding
the missing NULL assignment.
Cc: stable@xxxxxxxxxxxxxxx
Fixes: 5e31b3df86ec ("wifi: iwlwifi: dbg: print pc register data once fw dump occurred")
Reported-by: Guy Kaplan <guy.kaplan@xxxxxxxxx>
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Reviewed-by: Gregory Greenman <gregory.greenman@xxxxxxxxx>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@xxxxxxxxx>
Link: https://msgid.link/20240123200528.675f3c24ec0d.I6ab4015cd78d82dd95471f840629972ef0331de3@changeid
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
@@ -128,6 +128,7 @@ static void iwl_dealloc_ucode(struct iwl
kfree(drv->fw.ucode_capa.cmd_versions);
kfree(drv->fw.phy_integration_ver);
kfree(drv->trans->dbg.pc_data);
+ drv->trans->dbg.pc_data = NULL;
for (i = 0; i < IWL_UCODE_TYPE_MAX; i++)
iwl_free_fw_img(drv, drv->fw.img + i);
Patches currently in stable-queue which might be from johannes.berg@xxxxxxxxx are
queue-6.7/wifi-iwlwifi-uninitialized-variable-in-iwl_acpi_get_.patch
queue-6.7/wifi-iwlwifi-mvm-fix-a-crash-when-we-run-out-of-stations.patch
queue-6.7/wifi-iwlwifi-clear-link_id-in-time_event.patch
queue-6.7/wifi-iwlwifi-fix-some-error-codes.patch
queue-6.7/wifi-iwlwifi-fix-double-free-bug.patch
queue-6.7/wifi-cfg80211-fix-wiphy-delayed-work-queueing.patch
queue-6.7/wifi-mac80211-reload-info-pointer-in-ieee80211_tx_dequeue.patch
