diff options
| author | Arend Van Spriel <arend.vanspriel@broadcom.com> | 2017-03-28 04:11:30 -0400 |
|---|---|---|
| committer | Kalle Valo <kvalo@codeaurora.org> | 2017-03-30 12:43:51 -0400 |
| commit | d77facb88448cdeaaa3adba5b9704a48ac2ac8d6 (patch) | |
| tree | 52a9ee41042d543f0dd0a420f8d4912ea6e41863 | |
| parent | 893dc68f1b18451e6d550b1884fc6be76e1bb90c (diff) | |
brcmfmac: use local iftype avoiding use-after-free of virtual interface
A use-after-free was found using KASAN. In brcmf_p2p_del_if() the virtual
interface is removed using call to brcmf_remove_interface(). After that
the virtual interface instance has been freed and should not be referenced.
Solve this by storing the nl80211 iftype in local variable, which is used
in a couple of places anyway.
Cc: stable@vger.kernel.org # 4.10.x, 4.9.x
Reported-by: Daniel J Blueman <daniel@quora.org>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
| -rw-r--r-- | drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c index de19c7c92bc6..85d949e03f79 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | |||
| @@ -2238,14 +2238,16 @@ int brcmf_p2p_del_vif(struct wiphy *wiphy, struct wireless_dev *wdev) | |||
| 2238 | struct brcmf_cfg80211_info *cfg = wiphy_priv(wiphy); | 2238 | struct brcmf_cfg80211_info *cfg = wiphy_priv(wiphy); |
| 2239 | struct brcmf_p2p_info *p2p = &cfg->p2p; | 2239 | struct brcmf_p2p_info *p2p = &cfg->p2p; |
| 2240 | struct brcmf_cfg80211_vif *vif; | 2240 | struct brcmf_cfg80211_vif *vif; |
| 2241 | enum nl80211_iftype iftype; | ||
| 2241 | bool wait_for_disable = false; | 2242 | bool wait_for_disable = false; |
| 2242 | int err; | 2243 | int err; |
| 2243 | 2244 | ||
| 2244 | brcmf_dbg(TRACE, "delete P2P vif\n"); | 2245 | brcmf_dbg(TRACE, "delete P2P vif\n"); |
| 2245 | vif = container_of(wdev, struct brcmf_cfg80211_vif, wdev); | 2246 | vif = container_of(wdev, struct brcmf_cfg80211_vif, wdev); |
| 2246 | 2247 | ||
| 2248 | iftype = vif->wdev.iftype; | ||
| 2247 | brcmf_cfg80211_arm_vif_event(cfg, vif); | 2249 | brcmf_cfg80211_arm_vif_event(cfg, vif); |
| 2248 | switch (vif->wdev.iftype) { | 2250 | switch (iftype) { |
| 2249 | case NL80211_IFTYPE_P2P_CLIENT: | 2251 | case NL80211_IFTYPE_P2P_CLIENT: |
| 2250 | if (test_bit(BRCMF_VIF_STATUS_DISCONNECTING, &vif->sme_state)) | 2252 | if (test_bit(BRCMF_VIF_STATUS_DISCONNECTING, &vif->sme_state)) |
| 2251 | wait_for_disable = true; | 2253 | wait_for_disable = true; |
| @@ -2275,7 +2277,7 @@ int brcmf_p2p_del_vif(struct wiphy *wiphy, struct wireless_dev *wdev) | |||
| 2275 | BRCMF_P2P_DISABLE_TIMEOUT); | 2277 | BRCMF_P2P_DISABLE_TIMEOUT); |
| 2276 | 2278 | ||
| 2277 | err = 0; | 2279 | err = 0; |
| 2278 | if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE) { | 2280 | if (iftype != NL80211_IFTYPE_P2P_DEVICE) { |
| 2279 | brcmf_vif_clear_mgmt_ies(vif); | 2281 | brcmf_vif_clear_mgmt_ies(vif); |
| 2280 | err = brcmf_p2p_release_p2p_if(vif); | 2282 | err = brcmf_p2p_release_p2p_if(vif); |
| 2281 | } | 2283 | } |
| @@ -2291,7 +2293,7 @@ int brcmf_p2p_del_vif(struct wiphy *wiphy, struct wireless_dev *wdev) | |||
| 2291 | brcmf_remove_interface(vif->ifp, true); | 2293 | brcmf_remove_interface(vif->ifp, true); |
| 2292 | 2294 | ||
| 2293 | brcmf_cfg80211_arm_vif_event(cfg, NULL); | 2295 | brcmf_cfg80211_arm_vif_event(cfg, NULL); |
| 2294 | if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE) | 2296 | if (iftype != NL80211_IFTYPE_P2P_DEVICE) |
| 2295 | p2p->bss_idx[P2PAPI_BSSCFG_CONNECTION].vif = NULL; | 2297 | p2p->bss_idx[P2PAPI_BSSCFG_CONNECTION].vif = NULL; |
| 2296 | 2298 | ||
| 2297 | return err; | 2299 | return err; |