mirror of https://github.com/torvalds/linux.git
9cb83d4be0
The brcmf_btcoex_detach() only shuts down the btcoex timer, if the
flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which
runs as timer handler, sets timer_on to false. This creates critical
race conditions:
1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()
is executing, it may observe timer_on as false and skip the call to
timer_shutdown_sync().
2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info
worker after the cancel_work_sync() has been executed, resulting in
use-after-free bugs.
The use-after-free bugs occur in two distinct scenarios, depending on
the timing of when the brcmf_btcoex_info struct is freed relative to
the execution of its worker thread.
Scenario 1: Freed before the worker is scheduled
The brcmf_btcoex_info is deallocated before the worker is scheduled.
A race condition can occur when schedule_work(&bt_local->work) is
called after the target memory has been freed. The sequence of events
is detailed below:
CPU0 | CPU1
brcmf_btcoex_detach | brcmf_btcoex_timerfunc
| bt_local->timer_on = false;
if (cfg->btcoex->timer_on) |
... |
cancel_work_sync(); |
... |
kfree(cfg->btcoex); // FREE |
| schedule_work(&bt_local->work); // USE
Scenario 2: Freed after the worker is scheduled
The brcmf_btcoex_info is freed after the worker has been scheduled
but before or during its execution. In this case, statements within
the brcmf_btcoex_handler() — such as the container_of macro and
subsequent dereferences of the brcmf_btcoex_info object will cause
a use-after-free access. The following timeline illustrates this
scenario:
CPU0 | CPU1
brcmf_btcoex_detach | brcmf_btcoex_timerfunc
| bt_local->timer_on = false;
if (cfg->btcoex->timer_on) |
... |
cancel_work_sync(); |
... | schedule_work(); // Reschedule
|
kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker
/* | btci = container_of(....); // USE
The kfree() above could | ...
also occur at any point | btci-> // USE
during the worker's execution|
*/ |
To resolve the race conditions, drop the conditional check and call
timer_shutdown_sync() directly. It can deactivate the timer reliably,
regardless of its current state. Once stopped, the timer_on state is
then set to false.
Fixes:
|
||
|---|---|---|
| .. | ||
| arcnet | ||
| bonding | ||
| caif | ||
| can | ||
| dsa | ||
| ethernet | ||
| fddi | ||
| fjes | ||
| hamradio | ||
| hippi | ||
| hyperv | ||
| ieee802154 | ||
| ipa | ||
| ipvlan | ||
| mctp | ||
| mdio | ||
| netdevsim | ||
| ovpn | ||
| pcs | ||
| phy | ||
| plip | ||
| ppp | ||
| pse-pd | ||
| slip | ||
| team | ||
| thunderbolt | ||
| usb | ||
| vmxnet3 | ||
| vxlan | ||
| wan | ||
| wireguard | ||
| wireless | ||
| wwan | ||
| xen-netback | ||
| Kconfig | ||
| LICENSE.SRC | ||
| Makefile | ||
| Space.c | ||
| amt.c | ||
| bareudp.c | ||
| dummy.c | ||
| eql.c | ||
| geneve.c | ||
| gtp.c | ||
| ifb.c | ||
| loopback.c | ||
| macsec.c | ||
| macvlan.c | ||
| macvtap.c | ||
| mdio.c | ||
| mhi_net.c | ||
| mii.c | ||
| net_failover.c | ||
| netconsole.c | ||
| netkit.c | ||
| nlmon.c | ||
| ntb_netdev.c | ||
| pfcp.c | ||
| rionet.c | ||
| sungem_phy.c | ||
| tap.c | ||
| tun.c | ||
| tun_vnet.h | ||
| veth.c | ||
| virtio_net.c | ||
| vrf.c | ||
| vsockmon.c | ||
| xen-netfront.c | ||