From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 820B1C4167D for ; Mon, 13 Nov 2023 12:11:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229710AbjKMMMA (ORCPT ); Mon, 13 Nov 2023 07:12:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40966 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229497AbjKMMMA (ORCPT ); Mon, 13 Nov 2023 07:12:00 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 39108D75; Mon, 13 Nov 2023 04:11:57 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 17D2EC433CC; Mon, 13 Nov 2023 12:11:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1699877516; bh=5gp7DoHA+vUU9ry2Kt97UnYD5nWLqN4A470cWdz48KY=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=rmU0WSm3SSGv3pcP9pj9/IqbRpBhOl2X4aZhIynQcaEi1mDO1nBN7XW5Q7MKDV5dW lqEtrFkfE4WQ++F343EKPT54Os3Z17480xxg4f+B8laJb8REOnv6okROXyEDhW+S7c KjKq8Aq6LEIpUKp1YnVeW9gFC+ZbhDKfoxVjgTZDlT7RRgglrofZ+jUneAqiSp9rpP M3ol+hg6v2pequOZw+rdw1SmQhRWS7lKvU7E1CnxNYeuWxdU4fxmTI5d2gTB0f4GQZ vth6bS5uNoVfJ0anhWgeM0y5OHSsYn5+71vsDPMNbeq2THlmueBO0joTFq1Br82wDM Zaczlf0wN25LQ== From: Kalle Valo To: Arend van Spriel Cc: Zheng Hacker , Zheng Wang , aspriel@gmail.com, franky.lin@broadcom.com, hante.meuleman@broadcom.com, johannes.berg@intel.com, marcan@marcan.st, linus.walleij@linaro.org, jisoo.jang@yonsei.ac.kr, linuxlovemin@yonsei.ac.kr, wataru.gohda@cypress.com, linux-wireless@vger.kernel.org, brcm80211-dev-list.pdl@broadcom.com, SHA-cyfmac-dev-list@infineon.com, linux-kernel@vger.kernel.org, security@kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v5] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach References: <20231106141704.866455-1-zyytlz.wz@163.com> <87o7g7ueom.fsf@kernel.org> <18ba5520da0.279b.9b12b7fc0a3841636cfb5e919b41b954@broadcom.com> Date: Mon, 13 Nov 2023 14:11:51 +0200 In-Reply-To: (Arend van Spriel's message of "Mon, 13 Nov 2023 10:18:06 +0100") Message-ID: <874jhpvomw.fsf@kernel.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org Arend van Spriel writes: > On November 8, 2023 4:03:26 AM Zheng Hacker > wrote: > >> Arend Van Spriel =E4=BA=8E2023=E5=B9=B411= =E6=9C=886=E6=97=A5=E5=91=A8=E4=B8=80 23:48=E5=86=99=E9=81=93=EF=BC=9A >>> >>> On November 6, 2023 3:44:53 PM Zheng Hacker = wrote: >>> >>>> Thanks! I didn't test it for I don't have a device. Very appreciated >>>> if anyone could help with that. >>> >>> I would volunteer, but it made me dig deep and not sure if there is a >>> problem to solve here. >>> >>> brcmf_cfg80211_detach() calls wl_deinit_priv() -> brcmf_abort_scanning(= ) -> >>> brcmf_notify_escan_complete() which does delete the timer. >>> >>> What am I missing here? >> >> Thanks four your detailed review. I did see the code and not sure if >> brcmf_notify_escan_complete >> would be triggered for sure. So in the first version I want to delete >> the pending timer ahead of time. > > Why requesting a CVE when you are not sure? Seems a bit hasty to put > it mildly. TBH I don't take CVE entries seriously anymore. I don't know what has happened there. --=20 https://patchwork.kernel.org/project/linux-wireless/list/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatc= hes