From cd805fae3161c298da12f42a589b36387ef734f1 Mon Sep 17 00:00:00 2001 From: Jean Delvare Date: May 02 2023 12:19:17 +0000 Subject: Merge remote-tracking branch 'origin/users/tiwai/cve/linux-5.3/for-next' into cve/linux-5.3 --- diff --git a/patches.suse/power-supply-da9150-Fix-use-after-free-bug-in-da9150.patch b/patches.suse/power-supply-da9150-Fix-use-after-free-bug-in-da9150.patch new file mode 100644 index 0000000..a8af6de --- /dev/null +++ b/patches.suse/power-supply-da9150-Fix-use-after-free-bug-in-da9150.patch @@ -0,0 +1,54 @@ +From 06615d11cc78162dfd5116efb71f29eb29502d37 Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Sun, 12 Mar 2023 01:46:50 +0800 +Subject: [PATCH] power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition +Git-commit: 06615d11cc78162dfd5116efb71f29eb29502d37 +Patch-mainline: v6.3-rc4 +References: CVE-2023-30772 bsc#1210329 + +In da9150_charger_probe, &charger->otg_work is bound with +da9150_charger_otg_work. da9150_charger_otg_ncb may be +called to start the work. + +If we remove the module which will call da9150_charger_remove +to make cleanup, there may be a unfinished work. The possible +sequence is as follows: + +Fix it by canceling the work before cleanup in the da9150_charger_remove + +CPU0 CPUc1 + + |da9150_charger_otg_work +da9150_charger_remove | +power_supply_unregister | +device_unregister | +power_supply_dev_release| +kfree(psy) | + | + | power_supply_changed(charger->usb); + | //use + +Fixes: c1a281e34dae ("power: Add support for DA9150 Charger") +Signed-off-by: Zheng Wang +Signed-off-by: Sebastian Reichel +Acked-by: Takashi Iwai + +--- + drivers/power/supply/da9150-charger.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/power/supply/da9150-charger.c b/drivers/power/supply/da9150-charger.c +index 14da5c595dd9..a87aeaea38e1 100644 +--- a/drivers/power/supply/da9150-charger.c ++++ b/drivers/power/supply/da9150-charger.c +@@ -657,6 +657,7 @@ static int da9150_charger_remove(struct platform_device *pdev) + + if (!IS_ERR_OR_NULL(charger->usb_phy)) + usb_unregister_notifier(charger->usb_phy, &charger->otg_nb); ++ cancel_work_sync(&charger->otg_work); + + power_supply_unregister(charger->battery); + power_supply_unregister(charger->usb); +-- +2.35.3 + diff --git a/series.conf b/series.conf index 8736374..de8aeba 100644 --- a/series.conf +++ b/series.conf @@ -23102,6 +23102,7 @@ patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch patches.suse/hwmon-xgene-Fix-use-after-free-bug-in-xgene_hwmon_remove-d.patch patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch + patches.suse/power-supply-da9150-Fix-use-after-free-bug-in-da9150.patch patches.suse/btrfs-fix-race-between-quota-disable-and-quota-assig.patch ########################################################