wifi: mwifiex: fix double free in mwifiex_send_rgpower_table()

[PATCH next] wifi: mwifiex: fix double free in mwifiex_send_rgpower_table()

Posted by Dan Carpenter 3 weeks, 6 days ago

The "hostcmd" is freed using cleanup.h, so calling kfree() will lead to
a double free.  Delete the kfree().

Fixes: 7b6f16a25806 ("wifi: mwifiex: add rgpower table loading support")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/net/wireless/marvell/mwifiex/sta_cmd.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmd.c b/drivers/net/wireless/marvell/mwifiex/sta_cmd.c
index 6d9e2af29a69..91d5098081e8 100644
--- a/drivers/net/wireless/marvell/mwifiex/sta_cmd.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_cmd.c
@@ -1521,10 +1521,8 @@ int mwifiex_send_rgpower_table(struct mwifiex_private *priv, const u8 *data,
 		return -ENOMEM;
 
 	_data = kmemdup(data, size, GFP_KERNEL);
-	if (!_data) {
-		kfree(hostcmd);
+	if (!_data)
 		return -ENOMEM;
-	}
 
 	pos = _data;
 	ptr = hostcmd->cmd;
-- 
2.47.2

Re: [PATCH next] wifi: mwifiex: fix double free in mwifiex_send_rgpower_table()

Posted by Stefan Kerkmann 3 weeks, 1 day ago

Hi Dan,

thanks for spotting and fixing the double free error. I converted the 
code to use the cleanup helper late in the dev process and forgot to 
remove the call. I sent a patch for the endianness bug as well.

On 05.09.25 10:02, Dan Carpenter wrote:
> The "hostcmd" is freed using cleanup.h, so calling kfree() will lead to
> a double free.  Delete the kfree().
> 
> Fixes: 7b6f16a25806 ("wifi: mwifiex: add rgpower table loading support")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
>   drivers/net/wireless/marvell/mwifiex/sta_cmd.c | 4 +---
>   1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmd.c b/drivers/net/wireless/marvell/mwifiex/sta_cmd.c
> index 6d9e2af29a69..91d5098081e8 100644
> --- a/drivers/net/wireless/marvell/mwifiex/sta_cmd.c
> +++ b/drivers/net/wireless/marvell/mwifiex/sta_cmd.c
> @@ -1521,10 +1521,8 @@ int mwifiex_send_rgpower_table(struct mwifiex_private *priv, const u8 *data,
>   		return -ENOMEM;
>   
>   	_data = kmemdup(data, size, GFP_KERNEL);
> -	if (!_data) {
> -		kfree(hostcmd);
> +	if (!_data)
>   		return -ENOMEM;
> -	}
>   
>   	pos = _data;
>   	ptr = hostcmd->cmd;

Thank you,
Stefan

-- 
Pengutronix e.K.                       | Stefan Kerkmann             |
Steuerwalder Str. 21                   | https://www.pengutronix.de/ |
31137 Hildesheim, Germany              | Phone: +49-5121-206917-128  |
Amtsgericht Hildesheim, HRA 2686       | Fax:   +49-5121-206917-9    |

Re: [PATCH next] wifi: mwifiex: fix double free in mwifiex_send_rgpower_table()

Posted by Francesco Dolcini 3 weeks, 6 days ago

On Fri, Sep 05, 2025 at 11:02:14AM +0300, Dan Carpenter wrote:
> The "hostcmd" is freed using cleanup.h, so calling kfree() will lead to
> a double free.  Delete the kfree().
> 
> Fixes: 7b6f16a25806 ("wifi: mwifiex: add rgpower table loading support")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>

Francesco