Received: by 2002:a05:7412:b130:b0:e2:908c:2ebd with SMTP id az48csp240651rdb; Thu, 16 Nov 2023 18:31:58 -0800 (PST) X-Google-Smtp-Source: AGHT+IGXa3mpLFCZB2e25crxGpHuLWymWJtJ5r9CEZsjmLSvk22S7NKDe/25T+/s99zyZu+cVBg/ X-Received: by 2002:a05:6358:590c:b0:16b:42bc:75fe with SMTP id g12-20020a056358590c00b0016b42bc75femr10953578rwf.11.1700188318472; Thu, 16 Nov 2023 18:31:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700188318; cv=none; d=google.com; s=arc-20160816; b=s7HZnxvnJLplOZ/lHBdRccJr6Ba8mrl0SCkPdQ8C6BqB0Nm/1FEJVenEg9YhjEVj3w o05Uuvp1VmlUn49flbjrSR+tIQquxH4kSaiR0J3iHY0A8jF80YhM2x3uGTsOxQDrrpcU hKP2u162mDF+VbYBawZHQC8hdms6OeHyx70vz1VO/7MQCM0vS8SwS0cL42MlEZ0XnH/v PWQb28p1OSnpU2zKRGRqXkmKd8onnXwoQJFSdha9bF3fpC2uq4xcAhJEVUOn/PjkuaBn XyqPl9jFFg9q7VEMbJ+45sD7mR+/RZ0Jw268SuIXZ4St70XCbQCv31jddmsV+pSx8SLP QWOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=ShHjQysUBtuxNJ+pH62O9En8/VVV59KhlFkmqvEAWnQ=; fh=03pTtsTzUHccv9CTnL1bYQJ6M2HV22ACyQWK+DO3HTw=; b=Zyr8MnDtA9bEmz5Esc+kcEUKsFb+81418yU69q0tgbjW7ZqH8eRSllZC2T8HGFhP1a xDuszHj0NJozzvN/QPCEqEioYd7dYBtjQxF5qLnNOGD6TlIVekUho7UCTBsw0wsCLsgE EKJcbvUoPz6DJX+e8LX4nDE1FZ4uqUFIH982q+xQkrz0aq/hK7E0TfHj1fmmWxa+d9Xd 74yF18nJHo67BcnWzgshGhjzuJSpVnYrYXO5WdP5jq7xUN8dhGSf+3oKEl2N/qvW+NOf RWcvKYGcq8pzkytAIy8gy5GP0sDiXnIkGqFBltBvd/JsQAtG93WuAocl7tvrt4j44BWF z1Qw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Qpv7NU8Z; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id q2-20020a63cc42000000b00585a5e9a965si899047pgi.161.2023.11.16.18.31.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Nov 2023 18:31:58 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Qpv7NU8Z; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id D11D58266529; Thu, 16 Nov 2023 18:31:46 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229854AbjKQCbo (ORCPT + 53 others); Thu, 16 Nov 2023 21:31:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38226 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229437AbjKQCbn (ORCPT ); Thu, 16 Nov 2023 21:31:43 -0500 Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C64CCE; Thu, 16 Nov 2023 18:31:40 -0800 (PST) Received: by mail-pj1-x1033.google.com with SMTP id 98e67ed59e1d1-2802d218242so1286278a91.1; Thu, 16 Nov 2023 18:31:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700188300; x=1700793100; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=ShHjQysUBtuxNJ+pH62O9En8/VVV59KhlFkmqvEAWnQ=; b=Qpv7NU8ZyGgmFckPiV2JBny6Kx8nOGRL9bZFfgRLvHxp+NzpHfqWRAOnSkFRYsQj+w WZe5oWrryy6VU/SZkL2pbRyDtX+RCDH1/DO0EHUz5aTWZhnEJY4jsTJoWZNSRM7aGNx8 Lk7PkxBK0Z7i1Sg36l+BcBL2luoICaI3jjG/FXAdtutwhGqhkuCbUZjDnquoebQmIF+H OizYsLWTUrpHTgInjt4tjzX98jdA+P/Ebuka9d0U5BLQld+ufAg8569CKMRgWD6wLdfd B/LKP7WiQlHLLFh8i/WCREI/HmzcD194p9zhbsceZRgFj0K0/V756KaAWhcyhnYIbC6L 7JdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700188300; x=1700793100; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ShHjQysUBtuxNJ+pH62O9En8/VVV59KhlFkmqvEAWnQ=; b=Q7yIpA1TQZypD4Oi+CChvC57LoE25FAkipG/jNpslKFjeiv5jY9XtSiCRDoLBK7408 sIrLYfaMlidXE7GkSyMba4ppSNrgnOgC2PmeVB257r4OAUTG5HTE/rfRpQl20j+hPyF8 n7J8xcxiqDocQRK2KNi4vXjnZN2xv34NU8HRgjez9q/SNg1BTrLK2Q0CgfMsalpR86ZD fgp0qEoFfeynf1ILgtXgRmJ+z/4Ke1UNI/0h9uUuPWq/stah9pUrL+X3dBP+PNWmCGyd USfO5K19I3CkUBTnRCQsrv4QPhjU5EuSeajpwetKQn3ovj8hjHlvWjZFcZFr4B0L4t52 GgbQ== X-Gm-Message-State: AOJu0YxZKRihEL+k49CD22OrnDSqmTBVK0y56Kvh9NjmpHifm6ahdiKY 5FWTy8Hddbphc61I1C0MFpAXEAXctRQ7r8bs0PU= X-Received: by 2002:a17:90b:1810:b0:280:2652:d42 with SMTP id lw16-20020a17090b181000b0028026520d42mr20455528pjb.23.1700188299572; Thu, 16 Nov 2023 18:31:39 -0800 (PST) MIME-Version: 1.0 References: <20231106141704.866455-1-zyytlz.wz@163.com> <87o7g7ueom.fsf@kernel.org> <18ba5520da0.279b.9b12b7fc0a3841636cfb5e919b41b954@broadcom.com> <18bd95c97f0.279b.9b12b7fc0a3841636cfb5e919b41b954@broadcom.com> <87h6llmu7t.wl-tiwai@suse.de> In-Reply-To: <87h6llmu7t.wl-tiwai@suse.de> From: Zheng Hacker Date: Fri, 17 Nov 2023 10:31:26 +0800 Message-ID: Subject: Re: [PATCH v5] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach To: Takashi Iwai Cc: Arend Van Spriel , Kalle Valo , Zheng Wang , aspriel@gmail.com, franky.lin@broadcom.com, hante.meuleman@broadcom.com, johannes.berg@intel.com, marcan@marcan.st, linus.walleij@linaro.org, jisoo.jang@yonsei.ac.kr, linuxlovemin@yonsei.ac.kr, wataru.gohda@cypress.com, linux-wireless@vger.kernel.org, brcm80211-dev-list.pdl@broadcom.com, SHA-cyfmac-dev-list@infineon.com, linux-kernel@vger.kernel.org, security@kernel.org, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Thu, 16 Nov 2023 18:31:47 -0800 (PST) Yes, that makes this issue hard to fix. I was wondering why it binds the worker with the timer rather than using just one of them. Takashi Iwai =E4=BA=8E2023=E5=B9=B411=E6=9C=8817=E6=97=A5= =E5=91=A8=E4=BA=94 02:25=E5=86=99=E9=81=93=EF=BC=9A > > On Thu, 16 Nov 2023 19:20:06 +0100, > Arend Van Spriel wrote: > > > > On November 15, 2023 4:00:46 PM Zheng Hacker = wrote: > > > > > Arend van Spriel =E4=BA=8E2023=E5=B9= =B411=E6=9C=8813=E6=97=A5=E5=91=A8=E4=B8=80 17:18=E5=86=99=E9=81=93=EF=BC= =9A > > >> > > >> On November 8, 2023 4:03:26 AM Zheng Hacker > > >> wrote: > > >> > > >>> Arend Van Spriel =E4=BA=8E2023=E5=B9= =B411=E6=9C=886=E6=97=A5=E5=91=A8=E4=B8=80 23:48=E5=86=99=E9=81=93=EF=BC=9A > > >>>> > > >>>> On November 6, 2023 3:44:53 PM Zheng Hacker wrote: > > >>>> > > >>>>> Thanks! I didn't test it for I don't have a device. Very apprecia= ted > > >>>>> if anyone could help with that. > > >>>> > > >>>> I would volunteer, but it made me dig deep and not sure if there i= s a > > >>>> problem to solve here. > > >>>> > > >>>> brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scan= ning() -> > > >>>> brcmf_notify_escan_complete() which does delete the timer. > > >>>> > > >>>> What am I missing here? > > >>> > > >>> Thanks four your detailed review. I did see the code and not sure i= f > > >>> brcmf_notify_escan_complete > > >>> would be triggered for sure. So in the first version I want to dele= te > > >>> the pending timer ahead of time. > > >> > > >> Why requesting a CVE when you are not sure? Seems a bit hasty to put= it > > >> mildly. > > > > > > I'm sure the issue exists because there's only cancler of timer but n= ot woker. > > > As there's similar CVEs before like : https://github.com/V4bel/CVE-20= 22-41218, > > > I submit it as soon as I found it. > > > > Ah, yes. The cancel_work_sync() can also be done in > > brcmf_notify_escan_complete(). > > AFAIUC, brcmf_notify_scan_complete() is called from the work itself, > too, hence you can't issue cancel_work_sync() there (unless you make > it conditional). > > > Takashi