drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 2 +- drivers/net/wireless/intel/iwlwifi/mld/d3.c | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-)
Uninitialized pointers with `__free` attribute can cause undefined
behavior as the memory assigned randomly to the pointer is freed
automatically when the pointer goes out of scope.
It is better to initialize and assign pointers with `__free` attribute
in one statement to ensure proper scope-based cleanup
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/all/aPiG_F5EBQUjZqsl@stanley.mountain/
Signed-off-by: Ally Heev <allyheev@gmail.com>
---
Changes in v2:
- fixed style issues
- ignore v1 of this patch
- Link to v1: https://lore.kernel.org/r/20251105-aheev-uninitialized-free-attr-wireless-v1-1-6c850a4a952a@gmail.com
---
drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 2 +-
drivers/net/wireless/intel/iwlwifi/mld/d3.c | 4 +---
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/fw/uefi.c b/drivers/net/wireless/intel/iwlwifi/fw/uefi.c
index 4ae4d215e633e0d51194d818d479349e7c502201..c31a1187f53a79aeb0837f06250410eec4e7ea6d 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/uefi.c
+++ b/drivers/net/wireless/intel/iwlwifi/fw/uefi.c
@@ -818,8 +818,8 @@ int iwl_uefi_get_dsbr(struct iwl_fw_runtime *fwrt, u32 *value)
int iwl_uefi_get_phy_filters(struct iwl_fw_runtime *fwrt)
{
- struct uefi_cnv_wpfc_data *data __free(kfree);
struct iwl_phy_specific_cfg *filters = &fwrt->phy_filters;
+ struct uefi_cnv_wpfc_data *data __free(kfree) = NULL;
data = iwl_uefi_get_verified_variable(fwrt->trans, IWL_UEFI_WPFC_NAME,
"WPFC", sizeof(*data), NULL);
diff --git a/drivers/net/wireless/intel/iwlwifi/mld/d3.c b/drivers/net/wireless/intel/iwlwifi/mld/d3.c
index 1d4282a21f09e0f90a52dc02c8287ecc0e0fafe1..d3a03940b0a2c6a4b0107266cd2fc11ec9745e47 100644
--- a/drivers/net/wireless/intel/iwlwifi/mld/d3.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/d3.c
@@ -996,8 +996,6 @@ static void iwl_mld_mlo_rekey(struct iwl_mld *mld,
struct iwl_mld_wowlan_status *wowlan_status,
struct ieee80211_vif *vif)
{
- struct iwl_mld_old_mlo_keys *old_keys __free(kfree) = NULL;
-
IWL_DEBUG_WOWLAN(mld, "Num of MLO Keys: %d\n", wowlan_status->num_mlo_keys);
if (!wowlan_status->num_mlo_keys)
@@ -1785,7 +1783,7 @@ iwl_mld_send_proto_offload(struct iwl_mld *mld,
struct ieee80211_vif *vif,
u8 ap_sta_id)
{
- struct iwl_proto_offload_cmd_v4 *cmd __free(kfree);
+ struct iwl_proto_offload_cmd_v4 *cmd __free(kfree) = NULL;
struct iwl_host_cmd hcmd = {
.id = PROT_OFFLOAD_CONFIG_CMD,
.dataflags[0] = IWL_HCMD_DFL_NOCOPY,
---
base-commit: c9cfc122f03711a5124b4aafab3211cf4d35a2ac
change-id: 20251105-aheev-uninitialized-free-attr-wireless-bde764fbe81c
Best regards,
--
Ally Heev <allyheev@gmail.com>> Subject: [PATCH v2] net: wireless: fix uninitialized pointers with free attribute
Please send iwlwifi patches to either iwlwifi-next or iwlwifi-fixes ([PATCH iwlwifi-next] wifi: iwlwifi: blah blah )
In your case it is not really fixing any bug, since we never return from the functions without initializing the pointers.
>
> Uninitialized pointers with `__free` attribute can cause undefined behavior as the
> memory assigned randomly to the pointer is freed automatically when the pointer
> goes out of scope.
>
> It is better to initialize and assign pointers with `__free` attribute in one statement
> to ensure proper scope-based cleanup
>
> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> Closes: https://lore.kernel.org/all/aPiG_F5EBQUjZqsl@stanley.mountain/
> Signed-off-by: Ally Heev <allyheev@gmail.com>
> ---
> Changes in v2:
> - fixed style issues
> - ignore v1 of this patch
> - Link to v1: https://lore.kernel.org/r/20251105-aheev-uninitialized-free-attr-
> wireless-v1-1-6c850a4a952a@gmail.com
> ---
> drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 2 +-
> drivers/net/wireless/intel/iwlwifi/mld/d3.c | 4 +---
> 2 files changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/net/wireless/intel/iwlwifi/fw/uefi.c
> b/drivers/net/wireless/intel/iwlwifi/fw/uefi.c
> index
> 4ae4d215e633e0d51194d818d479349e7c502201..c31a1187f53a79aeb0837f062
> 50410eec4e7ea6d 100644
> --- a/drivers/net/wireless/intel/iwlwifi/fw/uefi.c
> +++ b/drivers/net/wireless/intel/iwlwifi/fw/uefi.c
> @@ -818,8 +818,8 @@ int iwl_uefi_get_dsbr(struct iwl_fw_runtime *fwrt, u32
> *value)
>
> int iwl_uefi_get_phy_filters(struct iwl_fw_runtime *fwrt) {
> - struct uefi_cnv_wpfc_data *data __free(kfree);
> struct iwl_phy_specific_cfg *filters = &fwrt->phy_filters;
> + struct uefi_cnv_wpfc_data *data __free(kfree) = NULL;
>
> data = iwl_uefi_get_verified_variable(fwrt->trans,
> IWL_UEFI_WPFC_NAME,
> "WPFC", sizeof(*data), NULL); diff --
> git a/drivers/net/wireless/intel/iwlwifi/mld/d3.c
> b/drivers/net/wireless/intel/iwlwifi/mld/d3.c
> index
> 1d4282a21f09e0f90a52dc02c8287ecc0e0fafe1..d3a03940b0a2c6a4b0107266cd
> 2fc11ec9745e47 100644
> --- a/drivers/net/wireless/intel/iwlwifi/mld/d3.c
> +++ b/drivers/net/wireless/intel/iwlwifi/mld/d3.c
> @@ -996,8 +996,6 @@ static void iwl_mld_mlo_rekey(struct iwl_mld *mld,
> struct iwl_mld_wowlan_status *wowlan_status,
> struct ieee80211_vif *vif)
> {
> - struct iwl_mld_old_mlo_keys *old_keys __free(kfree) = NULL;
This removes an unused variable. Please do that in a separate patch
> -
> IWL_DEBUG_WOWLAN(mld, "Num of MLO Keys: %d\n", wowlan_status-
> >num_mlo_keys);
>
> if (!wowlan_status->num_mlo_keys)
> @@ -1785,7 +1783,7 @@ iwl_mld_send_proto_offload(struct iwl_mld *mld,
> struct ieee80211_vif *vif,
> u8 ap_sta_id)
> {
> - struct iwl_proto_offload_cmd_v4 *cmd __free(kfree);
> + struct iwl_proto_offload_cmd_v4 *cmd __free(kfree) = NULL;
> struct iwl_host_cmd hcmd = {
> .id = PROT_OFFLOAD_CONFIG_CMD,
> .dataflags[0] = IWL_HCMD_DFL_NOCOPY,
>
> ---
> base-commit: c9cfc122f03711a5124b4aafab3211cf4d35a2ac
> change-id: 20251105-aheev-uninitialized-free-attr-wireless-bde764fbe81c
>
> Best regards,
> --
> Ally Heev <allyheev@gmail.com>
On Mon, Nov 10, 2025 at 01:17:10PM +0000, Korenblit, Miriam Rachel wrote:
> > Subject: [PATCH v2] net: wireless: fix uninitialized pointers with free attribute
>
> Please send iwlwifi patches to either iwlwifi-next or iwlwifi-fixes ([PATCH iwlwifi-next] wifi: iwlwifi: blah blah )
> In your case it is not really fixing any bug, since we never return from the functions without initializing the pointers.
I'm not a fan of these subsystem rules. If you're working over the entire
kernel then you would have to track over 400 different trees. This could
easily be done in the one place on the recieving end in the QC process
instead of forcing every contributor to write little shell scripts.
Anyway here is the code how I handle that for netdev. For BPF, which is the
only other subsystem with this rule, I only send bug reports instead of
patches because I really want to discourage this kind of rule...
git remote update net
git remote update net-next
if grep -q netdev $MAIL_FILE && ! grep -q wireless $MAIL_FILE ; then
if [ "$FIXES_COMMIT" != "" ] ; then
if git merge-base --is-ancestor $FIXES_COMMIT net/main ; then
TREE="net"
elif git merge-base --is-ancestor $FIXES_COMMIT net-next/main ; then
TREE="net-next"
else
TREE="net-other"
fi
else
TREE="net-next"
fi
fi
So the new iwlwifi code would be (free handed in my email client).
First add iwlwifi as a remote to your developement tree.
git remote add iwlwifi https://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-next.git
git remote update iwlwifi
if grep -q -w /iwlwifi/ $MAIL_FILE ; then
if [ "$FIXES_COMMIT" != "" ] ; then
if git merge-base --is-ancestor $FIXES_COMMIT iwlwifi/fixes ; then
TREE="iwlwifi"
elif git merge-base --is-ancestor $FIXES_COMMIT iwlwifi/next ; then
TREE="iwlwifi-next"
else
TREE="iwlwifi-other"
fi
else
TREE="iwlwifi-next"
fi
fi
regards,
dan carpenter
© 2016 - 2025 Red Hat, Inc.