From 76dea8d32cee765e069d7b4857489b512b3bcb69 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 2 Sep 2023 15:29:11 +0200
Subject: [PATCH] 5.10-stable patches

added patches:
	bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_remove-due-to-race-condition.patch
---
 ...-btsdio_remove-due-to-race-condition.patch | 38 +++++++++++++++++++
 queue-5.10/series                             |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 queue-5.10/bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_remove-due-to-race-condition.patch

diff --git a/queue-5.10/bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_remove-due-to-race-condition.patch b/queue-5.10/bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_remove-due-to-race-condition.patch
new file mode 100644
index 00000000000..310c8dbcb5b
--- /dev/null
+++ b/queue-5.10/bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_remove-due-to-race-condition.patch
@@ -0,0 +1,38 @@
+From 73f7b171b7c09139eb3c6a5677c200dc1be5f318 Mon Sep 17 00:00:00 2001
+From: Zheng Wang <zyytlz.wz@163.com>
+Date: Thu, 9 Mar 2023 00:45:01 +0800
+Subject: Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 upstream.
+
+In btsdio_probe, the data->work is bound with btsdio_work. It will be
+started in btsdio_send_frame.
+
+If the btsdio_remove runs with a unfinished work, there may be a race
+condition that hdev is freed but used in btsdio_work. Fix it by
+canceling the work before do cleanup in btsdio_remove.
+
+Fixes: CVE-2023-1989
+Fixes: ddbaf13e3609 ("[Bluetooth] Add generic driver for Bluetooth SDIO devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+[ Denis: Added CVE-2023-1989 and fixes tags. ]
+Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btsdio.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bluetooth/btsdio.c
++++ b/drivers/bluetooth/btsdio.c
+@@ -355,6 +355,7 @@ static void btsdio_remove(struct sdio_fu
+ 	if (!data)
+ 		return;
+ 
++	cancel_work_sync(&data->work);
+ 	hdev = data->hdev;
+ 
+ 	sdio_set_drvdata(func, NULL);
diff --git a/queue-5.10/series b/queue-5.10/series
index e3679ed790a..915f8b31b3b 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -10,3 +10,4 @@ usb-dwc3-meson-g12a-do-post-init-to-fix-broken-usb-after-resumption.patch
 usb-chipidea-imx-improve-logic-if-samsung-picophy-parameter-is-0.patch
 hid-wacom-remove-the-battery-when-the-ekr-is-off.patch
 staging-rtl8712-fix-race-condition.patch
+bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_remove-due-to-race-condition.patch
-- 
2.47.3