Marcel Hamer <marcel.hamer@xxxxxxxxxxxxx> wrote: > On removal of the device or unloading of the kernel module a potential > NULL pointer dereference occurs. > > The following sequence deletes the interface: > > brcmf_detach() > brcmf_remove_interface() > brcmf_del_if() > > Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to > BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches. > > After brcmf_remove_interface() call the brcmf_proto_detach() function is > called providing the following sequence: > > brcmf_detach() > brcmf_proto_detach() > brcmf_proto_msgbuf_detach() > brcmf_flowring_detach() > brcmf_msgbuf_delete_flowring() > brcmf_msgbuf_remove_flowring() > brcmf_flowring_delete() > brcmf_get_ifp() > brcmf_txfinalize() > > Since brcmf_get_ip() can and actually will return NULL in this case the > call to brcmf_txfinalize() will result in a NULL pointer dereference > inside brcmf_txfinalize() when trying to update > ifp->ndev->stats.tx_errors. > > This will only happen if a flowring still has an skb. > > Although the NULL pointer dereference has only been seen when trying to update > the tx statistic, all other uses of the ifp pointer have been guarded as well. > > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Marcel Hamer <marcel.hamer@xxxxxxxxxxxxx> > Link: https://lore.kernel.org/all/b519e746-ddfd-421f-d897-7620d229e4b2@xxxxxxxxx/ If you submit v3, please add 'wifi:'. ERROR: 'wifi:' prefix missing: '[PATCH v2] brcmfmac: NULL pointer dereference on tx statistic update' Patch set to Changes Requested. -- https://patchwork.kernel.org/project/linux-wireless/patch/20250110134502.824722-1-marcel.hamer@xxxxxxxxxxxxx/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
