No description
Find a file
Zheng Wang 0a7591e14a wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
[ Upstream commit 0f7352557a ]

This is the candidate patch of CVE-2023-47233 :
https://nvd.nist.gov/vuln/detail/CVE-2023-47233

In brcm80211 driver,it starts with the following invoking chain
to start init a timeout worker:

->brcmf_usb_probe
  ->brcmf_usb_probe_cb
    ->brcmf_attach
      ->brcmf_bus_started
        ->brcmf_cfg80211_attach
          ->wl_init_priv
            ->brcmf_init_escan
              ->INIT_WORK(&cfg->escan_timeout_work,
		  brcmf_cfg80211_escan_timeout_worker);

If we disconnect the USB by hotplug, it will call
brcmf_usb_disconnect to make cleanup. The invoking chain is :

brcmf_usb_disconnect
  ->brcmf_usb_disconnect_cb
    ->brcmf_detach
      ->brcmf_cfg80211_detach
        ->kfree(cfg);

While the timeout woker may still be running. This will cause
a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.

Fix it by deleting the timer and canceling the worker in
brcmf_cfg80211_detach.

Fixes: e756af5b30 ("brcmfmac: add e-scan support.")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Cc: stable@vger.kernel.org
[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://msgid.link/20240107072504.392713-1-arend.vanspriel@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-04-03 15:32:00 +02:00
arch riscv: Fix compilation error with FAST_GUP and rv32 2024-03-26 18:17:34 -04:00
block block: fix deadlock between bd_link_disk_holder and partition scan 2024-03-26 18:16:27 -04:00
certs This update includes the following changes: 2023-11-02 16:15:30 -10:00
crypto crypto: jitter - fix CRYPTO_JITTERENTROPY help text 2024-03-26 18:17:12 -04:00
Documentation net: move dev->state into net_device_read_txrx group 2024-03-26 18:17:35 -04:00
drivers wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach 2024-04-03 15:32:00 +02:00
fs ceph: stop copying to iter at EOF on sync reads 2024-03-26 18:17:36 -04:00
include dm io: Support IO priority 2024-03-26 18:17:38 -04:00
init modules: wait do_free_init correctly 2024-03-26 18:17:17 -04:00
io_uring io_uring: fix poll_remove stalled req completion 2024-03-26 18:17:34 -04:00
ipc shm: Slim down dependencies 2023-12-20 19:26:31 -05:00
kernel printk: Use prb_first_seq() as base for 32bit seq macros 2024-03-26 18:17:39 -04:00
lib lib/stackdepot: off by one in depot_fetch_stack() 2024-03-26 18:17:17 -04:00
LICENSES LICENSES: Add the copyleft-next-0.3.1 license 2022-11-08 15:44:01 +01:00
mm quota: Properly annotate i_dquot arrays with __rcu 2024-03-26 18:17:03 -04:00
net netfilter: nf_tables: Fix a memory leak in nf_tables_updchain 2024-03-26 18:17:38 -04:00
rust Rust changes for v6.8 2024-01-11 13:05:41 -08:00
samples work around gcc bugs with 'asm goto' with outputs 2024-02-09 15:57:48 -08:00
scripts kconfig: fix infinite loop when expanding a macro at the end of file 2024-03-26 18:17:29 -04:00
security integrity-v6.8-fix 2024-03-05 13:21:30 -08:00
sound ASoC: SOF: amd: Skip IRAM/DRAM size modification for Steam Deck OLED 2024-03-26 18:17:34 -04:00
tools selftests: forwarding: Fix ping failure due to short timeout 2024-03-26 18:17:38 -04:00
usr Kbuild updates for v6.8 2024-01-18 17:57:07 -08:00
virt KVM: Make KVM_MEM_GUEST_MEMFD mutually exclusive with KVM_MEM_READONLY 2024-02-22 17:07:06 -08:00
.clang-format clang-format: Update with v6.7-rc4's for_each macro list 2023-12-08 23:54:38 +01:00
.cocciconfig
.editorconfig Add .editorconfig file for basic formatting 2023-12-28 16:22:47 +09:00
.get_maintainer.ignore
.gitattributes .gitattributes: set diff driver for Rust source code files 2023-05-31 17:48:25 +02:00
.gitignore Add .editorconfig file for basic formatting 2023-12-28 16:22:47 +09:00
.mailmap drm fixes for 6.8 final 2024-03-08 12:44:56 -08:00
.rustfmt.toml
COPYING
CREDITS MAINTAINERS: supplement of zswap maintainers update 2024-01-25 23:52:21 -08:00
Kbuild Kbuild updates for v6.1 2022-10-10 12:00:45 -07:00
Kconfig
MAINTAINERS drm fixes for 6.8 final 2024-03-08 12:44:56 -08:00
Makefile Linux 6.8.2 2024-03-26 18:23:34 -04:00
README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.