lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 6 Mar 2017 15:14:04 +0800 From: Daniel J Blueman <daniel@...ra.org> To: Hante Meuleman <hante.meuleman@...adcom.com>, Arend Van Spriel <arend.vanspriel@...adcom.com>, Pieter-Paul Giesberts <pieterpg@...adcom.com> Cc: Netdev <netdev@...r.kernel.org>, David Miller <davem@...emloft.net> Subject: [PATCH] 4.9.13 brcmfmac: fix use-after-free on resume KASAN reported 'struct wireless_dev wdev' was read after being freed. Fix by freeing after the access. Signed-off-by: Daniel J Blueman <daniel@...ra.org> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c index de19c7c..aa0f470 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c @@ -2288,12 +2288,13 @@ int brcmf_p2p_del_vif(struct wiphy *wiphy, struct wireless_dev *wdev) else err = 0; } - brcmf_remove_interface(vif->ifp, true); - brcmf_cfg80211_arm_vif_event(cfg, NULL); if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE) p2p->bss_idx[P2PAPI_BSSCFG_CONNECTION].vif = NULL; + brcmf_remove_interface(vif->ifp, true); + brcmf_cfg80211_arm_vif_event(cfg, NULL); + return err; } -- Daniel J Blueman
Powered by blists - more mailing lists