[PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
From: Zheng Wang zyytlz.wz@163.com
[ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ]
In btsdio_probe, the data->work is bound with btsdio_work. It will be started in btsdio_send_frame.
If the btsdio_remove runs with a unfinished work, there may be a race condition that hdev is freed but used in btsdio_work. Fix it by canceling the work before do cleanup in btsdio_remove.
Fixes: CVE-2023-1989 Fixes: ddbaf13e3609 ("[Bluetooth] Add generic driver for Bluetooth SDIO devices") Cc: stable@vger.kernel.org Signed-off-by: Zheng Wang zyytlz.wz@163.com Signed-off-by: Luiz Augusto von Dentz luiz.von.dentz@intel.com [ Denis: Added CVE-2023-1989 and fixes tags. ] Signed-off-by: Denis Efremov (Oracle) efremov@linux.com ---
CVE-2023-1989 is 1e9ac114c4428fdb7ff4635b45d4f46017e8916f. However, the fix was reverted and replaced with 73f7b171b7. In stable branches we've got only the original fix and its revert. I'm sending the replacement fix. One can find a reference to the new fix 73f7b171b7 in the revert commit db2bf510bd5d.
drivers/bluetooth/btsdio.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c index 795be33f2892..f19d31ee37ea 100644 --- a/drivers/bluetooth/btsdio.c +++ b/drivers/bluetooth/btsdio.c @@ -357,6 +357,7 @@ static void btsdio_remove(struct sdio_func *func) if (!data) return;
+ cancel_work_sync(&data->work); hdev = data->hdev;
sdio_set_drvdata(func, NULL);
On Sat, Sep 02, 2023 at 02:21:56PM +0400, Denis Efremov (Oracle) wrote:
From: Zheng Wang zyytlz.wz@163.com
[ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ]
In btsdio_probe, the data->work is bound with btsdio_work. It will be started in btsdio_send_frame.
If the btsdio_remove runs with a unfinished work, there may be a race condition that hdev is freed but used in btsdio_work. Fix it by canceling the work before do cleanup in btsdio_remove.
Fixes: CVE-2023-1989 Fixes: ddbaf13e3609 ("[Bluetooth] Add generic driver for Bluetooth SDIO devices") Cc: stable@vger.kernel.org Signed-off-by: Zheng Wang zyytlz.wz@163.com Signed-off-by: Luiz Augusto von Dentz luiz.von.dentz@intel.com [ Denis: Added CVE-2023-1989 and fixes tags. ] Signed-off-by: Denis Efremov (Oracle) efremov@linux.com
CVE-2023-1989 is 1e9ac114c4428fdb7ff4635b45d4f46017e8916f. However, the fix was reverted and replaced with 73f7b171b7. In stable branches we've got only the original fix and its revert. I'm sending the replacement fix. One can find a reference to the new fix 73f7b171b7 in the revert commit db2bf510bd5d.
Now queued up, thanks.
greg k-h
linux-stable-mirror@lists.linaro.org
-
Denis Efremov (Oracle) -
Greg KH