From cab17d2424b3c1b4c5acd547ddd9a36de191bccd Mon Sep 17 00:00:00 2001
From: Lee, Chun-Yi <jlee@suse.com>
Date: Apr 26 2023 06:27:33 +0000
Subject: xirc2ps_cs: Fix use after free bug in xirc2ps_detach

(bsc#1209871 CVE-2023-1670).

---

diff --git a/patches.suse/xirc2ps_cs-Fix-use-after-free-bug-in-xirc2ps_detach.patch b/patches.suse/xirc2ps_cs-Fix-use-after-free-bug-in-xirc2ps_detach.patch
new file mode 100644
index 0000000..625324f
--- /dev/null
+++ b/patches.suse/xirc2ps_cs-Fix-use-after-free-bug-in-xirc2ps_detach.patch
@@ -0,0 +1,51 @@
+From: Zheng Wang <zyytlz.wz@163.com>
+Date: Fri, 17 Mar 2023 00:15:26 +0800
+Subject: xirc2ps_cs: Fix use after free bug in xirc2ps_detach
+Patch-mainline: v6.3-rc4
+Git-commit: e8d20c3ded59a092532513c9bd030d1ea66f5f44
+References: bsc#1209871 CVE-2023-1670
+
+In xirc2ps_probe, the local->tx_timeout_task was bounded
+with xirc2ps_tx_timeout_task. When timeout occurs,
+it will call xirc_tx_timeout->schedule_work to start the
+work.
+
+When we call xirc2ps_detach to remove the driver, there
+may be a sequence as follows:
+
+Stop responding to timeout tasks and complete scheduled
+tasks before cleanup in xirc2ps_detach, which will fix
+the problem.
+
+CPU0                  CPU1
+
+                    |xirc2ps_tx_timeout_task
+xirc2ps_detach      |
+  free_netdev       |
+    kfree(dev);     |
+                    |
+                    | do_reset
+                    |   //use dev
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Lee, Chun-Yi <jlee@suse.com>
+---
+ drivers/net/ethernet/xircom/xirc2ps_cs.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c
++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+@@ -503,6 +503,11 @@ static void
+ xirc2ps_detach(struct pcmcia_device *link)
+ {
+     struct net_device *dev = link->priv;
++    struct local_info *local = netdev_priv(dev);
++
++    netif_carrier_off(dev);
++    netif_tx_disable(dev);
++    cancel_work_sync(&local->tx_timeout_task);
+ 
+     dev_dbg(&link->dev, "detach\n");
+ 
diff --git a/series.conf b/series.conf
index a0eecb5..fda142b 100644
--- a/series.conf
+++ b/series.conf
@@ -26851,6 +26851,7 @@
 	patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch
 	patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch
 	patches.suse/hwmon-xgene-Fix-use-after-free-bug-in-xgene_hwmon_remove-d.patch
+	patches.suse/xirc2ps_cs-Fix-use-after-free-bug-in-xirc2ps_detach.patch
 	patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch
 	patches.suse/power-supply-da9150-Fix-use-after-free-bug-in-da9150.patch
 	patches.suse/cifs-fix-negotiate-context-parsing.patch