Zheng Wang c82abfa57d wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach ... [ Upstream commit 0f7352557a35ab7888bc7831411ec8a3cbe20d78 ] This is the candidate patch of CVE-2023-47233 : https://nvd.nist.gov/vuln/detail/CVE-2023-47233 In brcm80211 driver,it starts with the following invoking chain to start init a timeout worker: ->brcmf_usb_probe ->brcmf_usb_probe_cb ->brcmf_attach ->brcmf_bus_started ->brcmf_cfg80211_attach ->wl_init_priv ->brcmf_init_escan ->INIT_WORK(&cfg->escan_timeout_work, brcmf_cfg80211_escan_timeout_worker); If we disconnect the USB by hotplug, it will call brcmf_usb_disconnect to make cleanup. The invoking chain is : brcmf_usb_disconnect ->brcmf_usb_disconnect_cb ->brcmf_detach ->brcmf_cfg80211_detach ->kfree(cfg); While the timeout woker may still be running. This will cause a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker. Fix it by deleting the timer and canceling the worker in brcmf_cfg80211_detach. Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.") Signed-off-by: Zheng Wang <zyytlz.wz@163.com> Cc: stable@vger.kernel.org [arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free] Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: Kalle Valo <kvalo@kernel.org> Link: https://msgid.link/20240107072504.392713-1-arend.vanspriel@broadcom.com Signed-off-by: Sasha Levin <sashal@kernel.org>		2024-11-19 09:22:14 +01:00
..
bcdc.c
bcdc.h
bcmsdh.c
btcoex.c
btcoex.h
bus.h
cfg80211.c
cfg80211.h
chip.c
chip.h
common.c
common.h
commonring.c
commonring.h
core.c
core.h
debug.c
debug.h
dmi.c
feature.c
feature.h
firmware.c
firmware.h
flowring.c
flowring.h
fweh.c
fweh.h
fwil.c
fwil.h
fwil_types.h
fwsignal.c
fwsignal.h
Kconfig
Makefile
msgbuf.c
msgbuf.h
of.c
of.h
p2p.c
p2p.h
pcie.c
pcie.h
pno.c
pno.h
proto.c
proto.h
sdio.c
sdio.h
tracepoint.c
tracepoint.h
usb.c
usb.h
vendor.c
vendor.h