On Sat, Sep 02, 2023 at 02:21:56PM +0400, Denis Efremov (Oracle) wrote:
> From: Zheng Wang <zyytlz.wz@xxxxxxx>
>
> [ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ]
>
> In btsdio_probe, the data->work is bound with btsdio_work. It will be
> started in btsdio_send_frame.
>
> If the btsdio_remove runs with a unfinished work, there may be a race
> condition that hdev is freed but used in btsdio_work. Fix it by
> canceling the work before do cleanup in btsdio_remove.
>
> Fixes: CVE-2023-1989
> Fixes: ddbaf13e3609 ("[Bluetooth] Add generic driver for Bluetooth SDIO devices")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
> [ Denis: Added CVE-2023-1989 and fixes tags. ]
> Signed-off-by: Denis Efremov (Oracle) <efremov@xxxxxxxxx>
> ---
>
> CVE-2023-1989 is 1e9ac114c4428fdb7ff4635b45d4f46017e8916f.
> However, the fix was reverted and replaced with 73f7b171b7.
> In stable branches we've got only the original fix and its
> revert. I'm sending the replacement fix. One can find a
> reference to the new fix 73f7b171b7 in the revert commit
> db2bf510bd5d.
Now queued up, thanks.
greg k-h
