In brcm80211 driver,it starts with the following invoking chain
to start init a timeout worker:

->brcmf_usb_probe
  ->brcmf_usb_probe_cb
    ->brcmf_attach
      ->brcmf_bus_started
        ->brcmf_cfg80211_attach
          ->wl_init_priv
            ->brcmf_init_escan
              ->INIT_WORK(&cfg->escan_timeout_work,
		  brcmf_cfg80211_escan_timeout_worker);

If we disconnect the USB by hotplug, it will call
brcmf_usb_disconnect to make cleanup. The invoking chain is :

brcmf_usb_disconnect
  ->brcmf_usb_disconnect_cb
    ->brcmf_detach
      ->brcmf_cfg80211_detach
        ->kfree(cfg);

While the timeout woker may still be running. This will cause
a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.

Fix it by deleting the timer and canceling the worker in
brcmf_cfg80211_detach.

Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Cc: stable@vger.kernel.org
---
v3:
- rename the subject as Johannes suggested
v2:
- fix the error of kernel test bot reported
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 667462369a32..646ec8bdf512 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -8431,6 +8431,9 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg)
 	if (!cfg)
 		return;
 
+	if (timer_pending(&cfg->escan_timeout))
+		del_timer_sync(&cfg->escan_timeout);
+	cancel_work_sync(&cfg->escan_timeout_work);
 	brcmf_pno_detach(cfg);
 	brcmf_btcoex_detach(cfg);
 	wiphy_unregister(cfg->wiphy);
-- 
2.25.1

This is the candidate patch of CVE-2023-47233 :
https://nvd.nist.gov/vuln/detail/CVE-2023-47233

Appreciate the review and suggestions.

Zheng Wang <zyytlz.wz@163.com> 于2023年11月6日周一 12:42写道：
>
> In brcm80211 driver,it starts with the following invoking chain
> to start init a timeout worker:
>
> ->brcmf_usb_probe
>   ->brcmf_usb_probe_cb
>     ->brcmf_attach
>       ->brcmf_bus_started
>         ->brcmf_cfg80211_attach
>           ->wl_init_priv
>             ->brcmf_init_escan
>               ->INIT_WORK(&cfg->escan_timeout_work,
>                   brcmf_cfg80211_escan_timeout_worker);
>
> If we disconnect the USB by hotplug, it will call
> brcmf_usb_disconnect to make cleanup. The invoking chain is :
>
> brcmf_usb_disconnect
>   ->brcmf_usb_disconnect_cb
>     ->brcmf_detach
>       ->brcmf_cfg80211_detach
>         ->kfree(cfg);
>
> While the timeout woker may still be running. This will cause
> a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.
>
> Fix it by deleting the timer and canceling the worker in
> brcmf_cfg80211_detach.
>
> Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.")
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> Cc: stable@vger.kernel.org
> ---
> v3:
> - rename the subject as Johannes suggested
> v2:
> - fix the error of kernel test bot reported
> ---
>  drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> index 667462369a32..646ec8bdf512 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> @@ -8431,6 +8431,9 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg)
>         if (!cfg)
>                 return;
>
> +       if (timer_pending(&cfg->escan_timeout))
> +               del_timer_sync(&cfg->escan_timeout);
> +       cancel_work_sync(&cfg->escan_timeout_work);
>         brcmf_pno_detach(cfg);
>         brcmf_btcoex_detach(cfg);
>         wiphy_unregister(cfg->wiphy);
> --
> 2.25.1
>

> -----Original Message-----
> From: Zheng Hacker <hackerzheng666@gmail.com>
> Sent: Monday, November 6, 2023 1:16 PM
> To: Zheng Wang <zyytlz.wz@163.com>
> Cc: aspriel@gmail.com; franky.lin@broadcom.com; hante.meuleman@broadcom.com; kvalo@kernel.org;
> johannes.berg@intel.com; marcan@marcan.st; linus.walleij@linaro.org; jisoo.jang@yonsei.ac.kr;
> linuxlovemin@yonsei.ac.kr; wataru.gohda@cypress.com; linux-wireless@vger.kernel.org;
> brcm80211-dev-list.pdl@broadcom.com; SHA-cyfmac-dev-list@infineon.com; linux-kernel@vger.kernel.org;
> security@kernel.org; stable@vger.kernel.org
> Subject: Re: [PATCH v3] brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach

subject prefix "wif: brcmfmac: ..."
Try "git log --oneline drivers/net/wireless/broadcom/brcm80211/brcmfmac" to know that. 

> 
> This is the candidate patch of CVE-2023-47233 :
> https://nvd.nist.gov/vuln/detail/CVE-2023-47233

I think you can add this link to commit message as well. 

Ping-Ke Shih <pkshih@realtek.com> 于2023年11月6日周一 14:43写道：
>
>
>
> > -----Original Message-----
> > From: Zheng Hacker <hackerzheng666@gmail.com>
> > Sent: Monday, November 6, 2023 1:16 PM
> > To: Zheng Wang <zyytlz.wz@163.com>
> > Cc: aspriel@gmail.com; franky.lin@broadcom.com; hante.meuleman@broadcom.com; kvalo@kernel.org;
> > johannes.berg@intel.com; marcan@marcan.st; linus.walleij@linaro.org; jisoo.jang@yonsei.ac.kr;
> > linuxlovemin@yonsei.ac.kr; wataru.gohda@cypress.com; linux-wireless@vger.kernel.org;
> > brcm80211-dev-list.pdl@broadcom.com; SHA-cyfmac-dev-list@infineon.com; linux-kernel@vger.kernel.org;
> > security@kernel.org; stable@vger.kernel.org
> > Subject: Re: [PATCH v3] brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
>
> subject prefix "wif: brcmfmac: ..."
> Try "git log --oneline drivers/net/wireless/broadcom/brcm80211/brcmfmac" to know that.
>

Get it! Thanks for your kind reminder.

> >
> > This is the candidate patch of CVE-2023-47233 :
> > https://nvd.nist.gov/vuln/detail/CVE-2023-47233
>
> I think you can add this link to commit message as well.
>
>

Will apply your suggestion in the next version.

Best regrads,
Zheng