Patch "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition" has been added to the 5.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_remove-due-to-race-condition.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 73f7b171b7c09139eb3c6a5677c200dc1be5f318 Mon Sep 17 00:00:00 2001
From: Zheng Wang <zyytlz.wz@xxxxxxx>
Date: Thu, 9 Mar 2023 00:45:01 +0800
Subject: Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition

From: Zheng Wang <zyytlz.wz@xxxxxxx>

commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 upstream.

In btsdio_probe, the data->work is bound with btsdio_work. It will be
started in btsdio_send_frame.

If the btsdio_remove runs with a unfinished work, there may be a race
condition that hdev is freed but used in btsdio_work. Fix it by
canceling the work before do cleanup in btsdio_remove.

Fixes: CVE-2023-1989
Fixes: ddbaf13e3609 ("[Bluetooth] Add generic driver for Bluetooth SDIO devices")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
[ Denis: Added CVE-2023-1989 and fixes tags. ]
Signed-off-by: Denis Efremov (Oracle) <efremov@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/bluetooth/btsdio.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/bluetooth/btsdio.c
+++ b/drivers/bluetooth/btsdio.c
@@ -346,6 +346,7 @@ static void btsdio_remove(struct sdio_fu
 	if (!data)
 		return;
 
+	cancel_work_sync(&data->work);
 	hdev = data->hdev;
 
 	sdio_set_drvdata(func, NULL);


Patches currently in stable-queue which might be from zyytlz.wz@xxxxxxx are

queue-5.4/bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_remove-due-to-race-condition.patch
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux