From d2e015523d8dc4f2d415a491808ed8543e011170 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Jan 30 2024 14:23:41 +0000
Subject: wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach

(CVE-2023-47233 bsc#1216702).

---

diff --git a/patches.suse/wifi-brcmfmac-Fix-use-after-free-bug-in-brcmf_cfg802.patch b/patches.suse/wifi-brcmfmac-Fix-use-after-free-bug-in-brcmf_cfg802.patch
new file mode 100644
index 0000000..8832e48
--- /dev/null
+++ b/patches.suse/wifi-brcmfmac-Fix-use-after-free-bug-in-brcmf_cfg802.patch
@@ -0,0 +1,72 @@
+From 0f7352557a35ab7888bc7831411ec8a3cbe20d78 Mon Sep 17 00:00:00 2001
+From: Zheng Wang <zyytlz.wz@163.com>
+Date: Sun, 7 Jan 2024 08:25:04 +0100
+Subject: [PATCH] wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
+Git-commit: 0f7352557a35ab7888bc7831411ec8a3cbe20d78
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless.git
+Patch-mainline: Queued in subsystem maintainer repo
+References: CVE-2023-47233 bsc#1216702
+
+This is the candidate patch of CVE-2023-47233 :
+https://nvd.nist.gov/vuln/detail/CVE-2023-47233
+
+In brcm80211 driver,it starts with the following invoking chain
+to start init a timeout worker:
+
+->brcmf_usb_probe
+  ->brcmf_usb_probe_cb
+    ->brcmf_attach
+      ->brcmf_bus_started
+        ->brcmf_cfg80211_attach
+          ->wl_init_priv
+            ->brcmf_init_escan
+              ->INIT_WORK(&cfg->escan_timeout_work,
+		  brcmf_cfg80211_escan_timeout_worker);
+
+If we disconnect the USB by hotplug, it will call
+brcmf_usb_disconnect to make cleanup. The invoking chain is :
+
+brcmf_usb_disconnect
+  ->brcmf_usb_disconnect_cb
+    ->brcmf_detach
+      ->brcmf_cfg80211_detach
+        ->kfree(cfg);
+
+While the timeout woker may still be running. This will cause
+a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.
+
+Fix it by deleting the timer and canceling the worker in
+brcmf_cfg80211_detach.
+
+Fixes: e756af5b30b0 ("brcmfmac: add e-scan support.")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Cc: stable@vger.kernel.org
+[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20240107072504.392713-1-arend.vanspriel@broadcom.com
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -729,8 +729,7 @@ s32 brcmf_notify_escan_complete(struct b
+ 	scan_request = cfg->scan_request;
+ 	cfg->scan_request = NULL;
+ 
+-	if (timer_pending(&cfg->escan_timeout))
+-		del_timer_sync(&cfg->escan_timeout);
++	timer_delete_sync(&cfg->escan_timeout);
+ 
+ 	if (fw_abort) {
+ 		/* Do a scan abort to stop the driver's scan engine */
+@@ -7026,5 +7025,6 @@ void brcmf_cfg80211_detach(struct brcmf_
+ 	wiphy_unregister(cfg->wiphy);
+ 	kfree(cfg->ops);
+ 	wl_deinit_priv(cfg);
++	cancel_work_sync(&cfg->escan_timeout_work);
+ 	brcmf_free_wiphy(cfg->wiphy);
+ }
diff --git a/series.conf b/series.conf
index cffbba5..806a211 100644
--- a/series.conf
+++ b/series.conf
@@ -27495,6 +27495,8 @@
 	# Bug 1209052 - CVE-2023-28464: kernel-source: double free in hci_conn_cleanup()
 	patches.suse/Bluetooth-Fix-double-free-in-hci_conn_cleanup.patch
 
+	patches.suse/wifi-brcmfmac-Fix-use-after-free-bug-in-brcmf_cfg802.patch
+
 	########################################################
 	# ISDN
 	########################################################