CVE-2025-38118

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete<br /> <br /> This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to<br /> avoid crashes like bellow:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406<br /> Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341<br /> <br /> CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> Workqueue: hci0 hci_cmd_sync_work<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:408 [inline]<br /> print_report+0xd2/0x2b0 mm/kasan/report.c:521<br /> kasan_report+0x118/0x150 mm/kasan/report.c:634<br /> mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406<br /> hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334<br /> process_one_work kernel/workqueue.c:3238 [inline]<br /> process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321<br /> worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402<br /> kthread+0x711/0x8a0 kernel/kthread.c:464<br /> ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245<br /> <br /> <br /> Allocated by task 5987:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68<br /> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br /> __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394<br /> kasan_kmalloc include/linux/kasan.h:260 [inline]<br /> __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358<br /> kmalloc_noprof include/linux/slab.h:905 [inline]<br /> kzalloc_noprof include/linux/slab.h:1039 [inline]<br /> mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252<br /> mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279<br /> remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454<br /> hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719<br /> hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839<br /> sock_sendmsg_nosec net/socket.c:712 [inline]<br /> __sock_sendmsg+0x219/0x270 net/socket.c:727<br /> sock_write_iter+0x258/0x330 net/socket.c:1131<br /> new_sync_write fs/read_write.c:593 [inline]<br /> vfs_write+0x548/0xa90 fs/read_write.c:686<br /> ksys_write+0x145/0x250 fs/read_write.c:738<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 5989:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68<br /> kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576<br /> poison_slab_object mm/kasan/common.c:247 [inline]<br /> __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264<br /> kasan_slab_free include/linux/kasan.h:233 [inline]<br /> slab_free_hook mm/slub.c:2380 [inline]<br /> slab_free mm/slub.c:4642 [inline]<br /> kfree+0x18e/0x440 mm/slub.c:4841<br /> mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242<br /> mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366<br /> hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314<br /> __sys_bind_socket net/socket.c:1810 [inline]<br /> __sys_bind+0x2c3/0x3e0 net/socket.c:1841<br /> __do_sys_bind net/socket.c:1846 [inline]<br /> __se_sys_bind net/socket.c:1844 [inline]<br /> __x64_sys_bind+0x7a/0x90 net/socket.c:1844<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f