CVE-2024-49950

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix uaf in l2cap_connect

[Syzbot reported] BUG: KASAN: slab-use-after-free in l2capconnect.constprop.0+0x10d8/0x1270 net/bluetooth/l2capcore.c:3949 Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54

CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: hci2 hcirxwork Call Trace: <TASK> _dumpstack lib/dumpstack.c:93 [inline] dumpstacklvl+0x116/0x1f0 lib/dumpstack.c:119 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0xc3/0x620 mm/kasan/report.c:488 kasanreport+0xd9/0x110 mm/kasan/report.c:601 l2capconnect.constprop.0+0x10d8/0x1270 net/bluetooth/l2capcore.c:3949 l2capconnectreq net/bluetooth/l2capcore.c:4080 [inline] l2capbredrsigcmd net/bluetooth/l2capcore.c:4772 [inline] l2capsigchannel net/bluetooth/l2capcore.c:5543 [inline] l2caprecvframe+0xf0b/0x8eb0 net/bluetooth/l2capcore.c:6825 l2caprecvacldata+0x9b4/0xb70 net/bluetooth/l2capcore.c:7514 hciacldatapacket net/bluetooth/hcicore.c:3791 [inline] hcirxwork+0xaab/0x1610 net/bluetooth/hcicore.c:4028 processonework+0x9c5/0x1b40 kernel/workqueue.c:3231 processscheduledworks kernel/workqueue.c:3312 [inline] workerthread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 retfromfork+0x45/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:244 ...

Freed by task 5245: kasansavestack+0x33/0x60 mm/kasan/common.c:47 kasansavetrack+0x14/0x30 mm/kasan/common.c:68 kasansavefreeinfo+0x3b/0x60 mm/kasan/generic.c:579 poisonslabobject+0xf7/0x160 mm/kasan/common.c:240 _kasanslabfree+0x32/0x50 mm/kasan/common.c:256 kasanslabfree include/linux/kasan.h:184 [inline] slabfreehook mm/slub.c:2256 [inline] slabfree mm/slub.c:4477 [inline] kfree+0x12a/0x3b0 mm/slub.c:4598 l2capconnfree net/bluetooth/l2capcore.c:1810 [inline] krefput include/linux/kref.h:65 [inline] l2capconnput net/bluetooth/l2capcore.c:1822 [inline] l2capconndel+0x59d/0x730 net/bluetooth/l2capcore.c:1802 l2capconnectcfm+0x9e6/0xf80 net/bluetooth/l2capcore.c:7241 hciconnectcfm include/net/bluetooth/hcicore.h:1960 [inline] hciconnfailed+0x1c3/0x370 net/bluetooth/hciconn.c:1265 hciabortconnsync+0x75a/0xb50 net/bluetooth/hcisync.c:5583 abortconnsync+0x197/0x360 net/bluetooth/hciconn.c:2917 hcicmdsyncwork+0x1a4/0x410 net/bluetooth/hcisync.c:328 processonework+0x9c5/0x1b40 kernel/workqueue.c:3231 processscheduledworks kernel/workqueue.c:3312 [inline] workerthread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 retfromfork+0x45/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:244