From a67542a01229c6dcbe22e75550b9b12b61c215a2 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Apr 17 2023 08:24:50 +0000
Subject: power: supply: da9150: Fix use after free bug in

da9150_charger_remove due to race condition (CVE-2023-30772
bsc#1210329).

---

diff --git a/patches.suse/power-supply-da9150-Fix-use-after-free-bug-in-da9150.patch b/patches.suse/power-supply-da9150-Fix-use-after-free-bug-in-da9150.patch
new file mode 100644
index 0000000..a8af6de
--- /dev/null
+++ b/patches.suse/power-supply-da9150-Fix-use-after-free-bug-in-da9150.patch
@@ -0,0 +1,54 @@
+From 06615d11cc78162dfd5116efb71f29eb29502d37 Mon Sep 17 00:00:00 2001
+From: Zheng Wang <zyytlz.wz@163.com>
+Date: Sun, 12 Mar 2023 01:46:50 +0800
+Subject: [PATCH] power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition
+Git-commit: 06615d11cc78162dfd5116efb71f29eb29502d37
+Patch-mainline: v6.3-rc4
+References: CVE-2023-30772 bsc#1210329
+
+In da9150_charger_probe, &charger->otg_work is bound with
+da9150_charger_otg_work. da9150_charger_otg_ncb may be
+called to start the work.
+
+If we remove the module which will call da9150_charger_remove
+to make cleanup, there may be a unfinished work. The possible
+sequence is as follows:
+
+Fix it by canceling the work before cleanup in the da9150_charger_remove
+
+CPU0                  CPUc1
+
+                    |da9150_charger_otg_work
+da9150_charger_remove      |
+power_supply_unregister  |
+device_unregister   |
+power_supply_dev_release|
+kfree(psy)          |
+                    |
+                    | 	power_supply_changed(charger->usb);
+                    |   //use
+
+Fixes: c1a281e34dae ("power: Add support for DA9150 Charger")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/power/supply/da9150-charger.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/power/supply/da9150-charger.c b/drivers/power/supply/da9150-charger.c
+index 14da5c595dd9..a87aeaea38e1 100644
+--- a/drivers/power/supply/da9150-charger.c
++++ b/drivers/power/supply/da9150-charger.c
+@@ -657,6 +657,7 @@ static int da9150_charger_remove(struct platform_device *pdev)
+ 
+ 	if (!IS_ERR_OR_NULL(charger->usb_phy))
+ 		usb_unregister_notifier(charger->usb_phy, &charger->otg_nb);
++	cancel_work_sync(&charger->otg_work);
+ 
+ 	power_supply_unregister(charger->battery);
+ 	power_supply_unregister(charger->usb);
+-- 
+2.35.3
+
diff --git a/series.conf b/series.conf
index e2e8b9f..fa3034c 100644
--- a/series.conf
+++ b/series.conf
@@ -26849,6 +26849,7 @@
 	patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch
 	patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch
 	patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch
+	patches.suse/power-supply-da9150-Fix-use-after-free-bug-in-da9150.patch
 
 	# dhowells/linux-fs keys-uefi
 	patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch