Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unf…

…inished work In btsdio_probe, &data->work was bound with btsdio_work.In btsdio_send_frame, it was started by schedule_work. If we call btsdio_remove with an unfinished job, there may be a race condition and cause UAF bug on hdev. Fixes: ddbaf13 ("[Bluetooth] Add generic driver for Bluetooth SDIO devices") Signed-off-by: Zheng Wang <[email protected]> Signed-off-by: Luiz Augusto von Dentz <[email protected]>
android-risc-v · Mar 23, 2023 · 1e9ac11 · 1e9ac11
1 parent 9aa9d94
commit 1e9ac11
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c
@@ -354,6 +354,7 @@ static void btsdio_remove(struct sdio_func *func)
 
 	BT_DBG("func %p", func);
 
+	cancel_work_sync(&data->work);
 	if (!data)
 		return;