CVE-2022-50408

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: fix use-after-free bug in brcmfnetdevstart_xmit()

ret = brcmfprototxqueuedata(drvr, ifp->ifidx, skb);

may be schedule, and then complete before the line

ndev->stats.tx_bytes += skb->len;

[ 46.912801] ================================================================== [ 46.920552] BUG: KASAN: use-after-free in brcmfnetdevstartxmit+0x718/0x8c8 [brcmfmac] [ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328 [ 46.935991] [ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1 [ 46.947255] Hardware name: [REDACTED] [ 46.954568] Call trace: [ 46.957037] dumpbacktrace+0x0/0x2b8 [ 46.960719] showstack+0x24/0x30 [ 46.964052] dumpstack+0x128/0x194 [ 46.967557] printaddressdescription.isra.0+0x64/0x380 [ 46.972877] _kasanreport+0x1d4/0x240 [ 46.976723] kasanreport+0xc/0x18 [ 46.980138] _asanreportload4noabort+0x18/0x20 [ 46.985027] brcmfnetdevstartxmit+0x718/0x8c8 [brcmfmac] [ 46.990613] devhardstartxmit+0x1bc/0xda0 [ 46.994894] schdirectxmit+0x198/0xd08 [ 46.998827] _qdiscrun+0x37c/0x1dc0 [ 47.002500] _devqueuexmit+0x1528/0x21f8 [ 47.006692] devqueuexmit+0x24/0x30 [ 47.010366] neighresolveoutput+0x37c/0x678 [ 47.014734] ipfinishoutput2+0x598/0x2458 [ 47.018927] _ipfinishoutput+0x300/0x730 [ 47.023118] ipoutput+0x2e0/0x430 [ 47.026530] iplocalout+0x90/0x140 [ 47.030117] igmpv3sendpack+0x14c/0x228 [ 47.034049] igmpv3sendcr+0x384/0x6b8 [ 47.037895] igmpifctimerexpire+0x4c/0x118 [ 47.042262] calltimerfn+0x1cc/0xbe8 [ 47.046021] _runtimers+0x4d8/0xb28 [ 47.049693] runtimersoftirq+0x24/0x40 [ 47.053626] _dosoftirq+0x2c0/0x117c [ 47.057387] irqexit+0x2dc/0x388 [ 47.060715] _handledomainirq+0xb4/0x158 [ 47.064908] gichandleirq+0x58/0xb0 [ 47.068581] el0irqnaked+0x50/0x5c [ 47.072162] [ 47.073665] Allocated by task 328: [ 47.077083] savestack+0x24/0xb0 [ 47.080410] _kasankmalloc.isra.0+0xc0/0xe0 [ 47.084776] kasanslaballoc+0x14/0x20 [ 47.088622] kmemcachealloc+0x15c/0x468 [ 47.092643] _allocskb+0xa4/0x498 [ 47.096142] igmpv3newpack+0x158/0xd78 [ 47.099987] addgrhead+0x210/0x288 [ 47.103485] addgrec+0x6b0/0xb70 [ 47.106811] igmpv3sendcr+0x2e0/0x6b8 [ 47.110657] igmpifctimerexpire+0x4c/0x118 [ 47.115027] calltimerfn+0x1cc/0xbe8 [ 47.118785] _runtimers+0x4d8/0xb28 [ 47.122457] runtimersoftirq+0x24/0x40 [ 47.126389] _dosoftirq+0x2c0/0x117c [ 47.130142] [ 47.131643] Freed by task 180: [ 47.134712] savestack+0x24/0xb0 [ 47.138041] _kasanslabfree+0x108/0x180 [ 47.142146] kasanslabfree+0x10/0x18 [ 47.145904] slabfreefreelisthook+0xa4/0x1b0 [ 47.150444] kmemcachefree+0x8c/0x528 [ 47.154292] kfreeskbmem+0x94/0x108 [ 47.157880] consumeskb+0x10c/0x5a8 [ 47.161466] _devkfreeskbany+0x88/0xa0 [ 47.165598] brcmupktbuffreeskb+0x44/0x68 [brcmutil] [ 47.171023] brcmftxfinalize+0xec/0x190 [brcmfmac] [ 47.176016] brcmfprotobcdctxcomplete+0x1c0/0x210 [brcmfmac] [ 47.182056] brcmfsdiosendfromq+0x8dc/0x1e80 [brcmfmac] [ 47.187568] brcmfsdiodpc+0xb48/0x2108 [brcmfmac] [ 47.192529] brcmfsdiodataworker+0xc8/0x238 [brcmfmac] [ 47.197859] processonework+0x7fc/0x1a80 [ 47.201965] workerthread+0x31c/0xc40 [ 47.205726] kthread+0x2d8/0x370 [ 47.208967] retfromfork+0x10/0x18 [ 47.212546] [ 47.214051] The buggy address belongs to the object at ffffff803f588280 [ 47.214051] which belongs to the cache skbuffhead_cache of size 208 [ 47.227086] The buggy address is located 104 bytes inside of [ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350) [ 47.238814] The buggy address belongs to the page: [ 47.243618] page:ffffffff00dd6200 refcount:1 mapcou ---truncated---