Commit 4ea6cf7d authored Nov 14, 2024 by Yang Yingliang Committed by Yuan Can Nov 14, 2024

Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave()

stable inclusion
from stable-v5.10.163
commit 0169acb41bc8634c50d3428edb2cae7ca304f673
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IALIJ7
CVE: CVE-2022-48878

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0169acb41bc8634c50d3428edb2cae7ca304f673



--------------------------------

[ Upstream commit df4cfc91 ]

It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So replace kfree_skb()
with dev_kfree_skb_irq() under spin_lock_irqsave().

Fixes: 0ff252c1 ("Bluetooth: hciuart: Add support QCA chipset for UART")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yuan Can <yuancan@huawei.com>

parent 81876e0e

drivers/bluetooth/hci_qca.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -905,7 +905,7 @@ static int qca_enqueue(struct hci_uart hu, struct sk_buff skb)
		default:
		BT_ERR("Illegal tx state: %d (losing packet)",
		qca->tx_ibs_state);
		kfree_skb(skb);
		dev_kfree_skb_irq(skb);
		break;
		}