CVE-2024-53237

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: fix use-after-free in device_for_each_child()<br /> <br /> Syzbot has reported the following KASAN splat:<br /> <br /> BUG: KASAN: slab-use-after-free in device_for_each_child+0x18f/0x1a0<br /> Read of size 8 at addr ffff88801f605308 by task kbnepd bnep0/4980<br /> <br /> CPU: 0 UID: 0 PID: 4980 Comm: kbnepd bnep0 Not tainted 6.12.0-rc4-00161-gae90f6a6170d #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x100/0x190<br /> ? device_for_each_child+0x18f/0x1a0<br /> print_report+0x13a/0x4cb<br /> ? __virt_addr_valid+0x5e/0x590<br /> ? __phys_addr+0xc6/0x150<br /> ? device_for_each_child+0x18f/0x1a0<br /> kasan_report+0xda/0x110<br /> ? device_for_each_child+0x18f/0x1a0<br /> ? __pfx_dev_memalloc_noio+0x10/0x10<br /> device_for_each_child+0x18f/0x1a0<br /> ? __pfx_device_for_each_child+0x10/0x10<br /> pm_runtime_set_memalloc_noio+0xf2/0x180<br /> netdev_unregister_kobject+0x1ed/0x270<br /> unregister_netdevice_many_notify+0x123c/0x1d80<br /> ? __mutex_trylock_common+0xde/0x250<br /> ? __pfx_unregister_netdevice_many_notify+0x10/0x10<br /> ? trace_contention_end+0xe6/0x140<br /> ? __mutex_lock+0x4e7/0x8f0<br /> ? __pfx_lock_acquire.part.0+0x10/0x10<br /> ? rcu_is_watching+0x12/0xc0<br /> ? unregister_netdev+0x12/0x30<br /> unregister_netdevice_queue+0x30d/0x3f0<br /> ? __pfx_unregister_netdevice_queue+0x10/0x10<br /> ? __pfx_down_write+0x10/0x10<br /> unregister_netdev+0x1c/0x30<br /> bnep_session+0x1fb3/0x2ab0<br /> ? __pfx_bnep_session+0x10/0x10<br /> ? __pfx_lock_release+0x10/0x10<br /> ? __pfx_woken_wake_function+0x10/0x10<br /> ? __kthread_parkme+0x132/0x200<br /> ? __pfx_bnep_session+0x10/0x10<br /> ? kthread+0x13a/0x370<br /> ? __pfx_bnep_session+0x10/0x10<br /> kthread+0x2b7/0x370<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x48/0x80<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> Allocated by task 4974:<br /> kasan_save_stack+0x30/0x50<br /> kasan_save_track+0x14/0x30<br /> __kasan_kmalloc+0xaa/0xb0<br /> __kmalloc_noprof+0x1d1/0x440<br /> hci_alloc_dev_priv+0x1d/0x2820<br /> __vhci_create_device+0xef/0x7d0<br /> vhci_write+0x2c7/0x480<br /> vfs_write+0x6a0/0xfc0<br /> ksys_write+0x12f/0x260<br /> do_syscall_64+0xc7/0x250<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 4979:<br /> kasan_save_stack+0x30/0x50<br /> kasan_save_track+0x14/0x30<br /> kasan_save_free_info+0x3b/0x60<br /> __kasan_slab_free+0x4f/0x70<br /> kfree+0x141/0x490<br /> hci_release_dev+0x4d9/0x600<br /> bt_host_release+0x6a/0xb0<br /> device_release+0xa4/0x240<br /> kobject_put+0x1ec/0x5a0<br /> put_device+0x1f/0x30<br /> vhci_release+0x81/0xf0<br /> __fput+0x3f6/0xb30<br /> task_work_run+0x151/0x250<br /> do_exit+0xa79/0x2c30<br /> do_group_exit+0xd5/0x2a0<br /> get_signal+0x1fcd/0x2210<br /> arch_do_signal_or_restart+0x93/0x780<br /> syscall_exit_to_user_mode+0x140/0x290<br /> do_syscall_64+0xd4/0x250<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> In &amp;#39;hci_conn_del_sysfs()&amp;#39;, &amp;#39;device_unregister()&amp;#39; may be called when<br /> an underlying (kobject) reference counter is greater than 1. This<br /> means that reparenting (happened when the device is actually freed)<br /> is delayed and, during that delay, parent controller device (hciX)<br /> may be deleted. Since the latter may create a dangling pointer to<br /> freed parent, avoid that scenario by reparenting to NULL explicitly.