Marcel Hamer <marcel.hamer@xxxxxxxxxxxxx> wrote: > On removal of the device or unloading of the kernel module a potential NULL > pointer dereference occurs. > > The following sequence deletes the interface: > > brcmf_detach() > brcmf_remove_interface() > brcmf_del_if() > > Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to > BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches. > > After brcmf_remove_interface() call the brcmf_proto_detach() function is > called providing the following sequence: > > brcmf_detach() > brcmf_proto_detach() > brcmf_proto_msgbuf_detach() > brcmf_flowring_detach() > brcmf_msgbuf_delete_flowring() > brcmf_msgbuf_remove_flowring() > brcmf_flowring_delete() > brcmf_get_ifp() > brcmf_txfinalize() > > Since brcmf_get_ip() can and actually will return NULL in this case the > call to brcmf_txfinalize() will result in a NULL pointer dereference inside > brcmf_txfinalize() when trying to update ifp->ndev->stats.tx_errors. > > This will only happen if a flowring still has an skb. > > Although the NULL pointer dereference has only been seen when trying to > update the tx statistic, all other uses of the ifp pointer have been > guarded as well with an early return if ifp is NULL. > > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Marcel Hamer <marcel.hamer@xxxxxxxxxxxxx> > Link: https://lore.kernel.org/all/b519e746-ddfd-421f-d897-7620d229e4b2@xxxxxxxxx/ > Acked-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> Patch applied to wireless-next.git, thanks. 68abd0c4ebf2 wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() -- https://patchwork.kernel.org/project/linux-wireless/patch/20250116132240.731039-1-marcel.hamer@xxxxxxxxxxxxx/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
