Received: by 2002:a05:622a:4ca:b0:41c:c224:f26f with SMTP id q10csp524948qtx; Thu, 16 Nov 2023 10:25:24 -0800 (PST) X-Google-Smtp-Source: AGHT+IHboTegWfza+DItdpmw5TS9aSx+YI0wCnOJE3B3s2TBFTkGlXs/dccFs8kJZTf3vLxm2kx0 X-Received: by 2002:a05:6a20:8e1f:b0:187:9521:92a7 with SMTP id y31-20020a056a208e1f00b00187952192a7mr4225265pzj.18.1700159123717; Thu, 16 Nov 2023 10:25:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700159123; cv=none; d=google.com; s=arc-20160816; b=u7Ta3ueWfDgPzUSxgolQOmrTD55JjrjJQaqk/fgfCoMs933+wOaDg7ITAMU1mpYvae ULwaS2oHIYKsSK6GwRxBujA/Yc3h8i+5ybyXOP7qEZLyG0gh6fmtXaqrGrdgiiN4hy54 yOjaG8d2BGMIHk1XIHxsHZ9IwEW1krxoj5e2cKsr1yrLIpj0NQmrkfmCLh+gG/ZM+507 UmDA3OTxywKqQUThhABpghLnaaoiADOsmM7BmfmZwO6s0FYqJR4yYlcwoyn4kpzDL7yO wzIIsiVXrygh5sqxcB1fXyUcsSBUseWaSSN0xu6xWnwc7QDuyev52bQirqN7EB6LMCop 4iRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:in-reply-to :subject:cc:to:from:message-id:date:dkim-signature:dkim-signature; bh=82GRraZBW1WqfOlAqC5Ida9GyIWCqY+2MmQaziurGdw=; fh=MSDIPOK31u34/mWDX1ulNd/UKkWA+LFSP9+ffd2r9Yk=; b=VVq6kIchphZr/0WTvPkiHndMWGRJffbJdGjsczdpZfL4Sr2iBmHnavE2eFcDoSSvY7 ok1yD+O5MdBNi6ygJXoXHf2a6fpKdcmVQsieaddn2owGC5yqd6Co7WM3UQ4KU5i+KvQt 6i/SihiBxlJxGvlw0TeEHvERA1tDPboo3dr3swESyRV2vz9uXp99/ktRGQ5XSJuC+oNi flg0agEItDW435BLDcqvd+Cpt1JQVpDm7DD2iBxgfZsFzEN6GV5+DUvcymSENKVrXft5 Qc/cFaXMVdXJ2TFoV1lm9nfYszuWgzJZ8gfa2yYX+qRi01bIyV8mXLkcEiGtb+Zr2ocw VaYQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=D52pd84C; dkim=neutral (no key) header.i=@suse.de header.b=FAR0N3iv; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8]) by mx.google.com with ESMTPS id z10-20020a655a4a000000b005be0087d48esi25033pgs.152.2023.11.16.10.25.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Nov 2023 10:25:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=D52pd84C; dkim=neutral (no key) header.i=@suse.de header.b=FAR0N3iv; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 084F6803B728; Thu, 16 Nov 2023 10:25:16 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345414AbjKPSZQ (ORCPT + 53 others); Thu, 16 Nov 2023 13:25:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50460 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229488AbjKPSZQ (ORCPT ); Thu, 16 Nov 2023 13:25:16 -0500 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC938195; Thu, 16 Nov 2023 10:25:12 -0800 (PST) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 591D720507; Thu, 16 Nov 2023 18:25:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1700159111; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=82GRraZBW1WqfOlAqC5Ida9GyIWCqY+2MmQaziurGdw=; b=D52pd84C8LYLp8mrmLl5+1EzXV2lujZv0cTb1aHy45wSCP3qgSyC7BJFcophdS734lDwTM dQc1KqGEXjSla9QwsFt8F4gR8zQk4cs8fbgo5vzLPpGY7RJNYh/MQAaUKng/JXCd7vhC2I D/zoLRC+MrgqU8t4umcTGGCuWNY/OUI= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1700159111; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=82GRraZBW1WqfOlAqC5Ida9GyIWCqY+2MmQaziurGdw=; b=FAR0N3ivyNbuus6yKNWFK4lDUs0NI7RcjC+8nLmNWA+tHHMUycBOqRqyY8efWCIbcxOtWl 3yD1/OZl1FMsVWBQ== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id F3AB7139C4; Thu, 16 Nov 2023 18:25:10 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id paWNOoZeVmU/NgAAMHmgww (envelope-from ); Thu, 16 Nov 2023 18:25:10 +0000 Date: Thu, 16 Nov 2023 19:25:10 +0100 Message-ID: <87h6llmu7t.wl-tiwai@suse.de> From: Takashi Iwai To: Arend Van Spriel Cc: Zheng Hacker , Kalle Valo , Zheng Wang , , , , , , , , , , , , , , , Subject: Re: [PATCH v5] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach In-Reply-To: <18bd95c97f0.279b.9b12b7fc0a3841636cfb5e919b41b954@broadcom.com> References: <20231106141704.866455-1-zyytlz.wz@163.com> <87o7g7ueom.fsf@kernel.org> <18ba5520da0.279b.9b12b7fc0a3841636cfb5e919b41b954@broadcom.com> <18bd95c97f0.279b.9b12b7fc0a3841636cfb5e919b41b954@broadcom.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=ISO-2022-JP Authentication-Results: smtp-out2.suse.de; none X-Spam-Level: X-Spam-Score: 0.80 X-Spamd-Result: default: False [0.80 / 50.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; BAYES_SPAM(5.10)[100.00%]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_ENVRCPT(0.00)[163.com,gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; RCPT_COUNT_TWELVE(0.00)[19]; MID_CONTAINS_FROM(1.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_CC(0.00)[gmail.com,kernel.org,163.com,broadcom.com,intel.com,marcan.st,linaro.org,yonsei.ac.kr,cypress.com,vger.kernel.org,infineon.com]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Thu, 16 Nov 2023 10:25:16 -0800 (PST) On Thu, 16 Nov 2023 19:20:06 +0100, Arend Van Spriel wrote: > > On November 15, 2023 4:00:46 PM Zheng Hacker wrote: > > > Arend van Spriel 于2023年11月13日周一 17:18写道: > >> > >> On November 8, 2023 4:03:26 AM Zheng Hacker > >> wrote: > >> > >>> Arend Van Spriel 于2023年11月6日周一 23:48写道: > >>>> > >>>> On November 6, 2023 3:44:53 PM Zheng Hacker wrote: > >>>> > >>>>> Thanks! I didn't test it for I don't have a device. Very appreciated > >>>>> if anyone could help with that. > >>>> > >>>> I would volunteer, but it made me dig deep and not sure if there is a > >>>> problem to solve here. > >>>> > >>>> brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning() -> > >>>> brcmf_notify_escan_complete() which does delete the timer. > >>>> > >>>> What am I missing here? > >>> > >>> Thanks four your detailed review. I did see the code and not sure if > >>> brcmf_notify_escan_complete > >>> would be triggered for sure. So in the first version I want to delete > >>> the pending timer ahead of time. > >> > >> Why requesting a CVE when you are not sure? Seems a bit hasty to put it > >> mildly. > > > > I'm sure the issue exists because there's only cancler of timer but not woker. > > As there's similar CVEs before like : https://github.com/V4bel/CVE-2022-41218, > > I submit it as soon as I found it. > > Ah, yes. The cancel_work_sync() can also be done in > brcmf_notify_escan_complete(). AFAIUC, brcmf_notify_scan_complete() is called from the work itself, too, hence you can't issue cancel_work_sync() there (unless you make it conditional). Takashi