diff options
author | Zheng Wang <zyytlz.wz@163.com> | 2023-03-08 19:45:01 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-09-06 23:27:01 +0300 |
commit | 179c65828593aff1f444e15debd40a477cb23cf4 (patch) | |
tree | 6c47b34ef7d6b92255943748599444c4856533b7 /drivers/bluetooth | |
parent | 86b818e2495d1cbb2b9014d115952fa105eb8f92 (diff) | |
download | linux-179c65828593aff1f444e15debd40a477cb23cf4.tar.xz |
Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 upstream.
In btsdio_probe, the data->work is bound with btsdio_work. It will be
started in btsdio_send_frame.
If the btsdio_remove runs with a unfinished work, there may be a race
condition that hdev is freed but used in btsdio_work. Fix it by
canceling the work before do cleanup in btsdio_remove.
Fixes: CVE-2023-1989
Fixes: ddbaf13e3609 ("[Bluetooth] Add generic driver for Bluetooth SDIO devices")
Cc: stable@vger.kernel.org
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Denis: Added CVE-2023-1989 and fixes tags. ]
Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/bluetooth')
-rw-r--r-- | drivers/bluetooth/btsdio.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c index 795be33f2892..f19d31ee37ea 100644 --- a/drivers/bluetooth/btsdio.c +++ b/drivers/bluetooth/btsdio.c @@ -357,6 +357,7 @@ static void btsdio_remove(struct sdio_func *func) if (!data) return; + cancel_work_sync(&data->work); hdev = data->hdev; sdio_set_drvdata(func, NULL); |