DEBIAN-CVE-2025-39860

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free in l2capsockcleanuplisten() syzbot reported the splat below without a repro. In the splat, a single thread calling btacceptdequeue() freed sk and touched it after that. The root cause would be the racy l2capsockcleanuplisten() call added by the cited commit. btacceptdequeue() is called under locksock() except for l2capsockrelease(). Two threads could see the same socket during the list iteration in btacceptdequeue(): CPU1 CPU2 (close()) ---- ---- sockhold(sk) sockhold(sk); locksock(sk) <-- block close() sockput(sk) btacceptunlink(sk) sockput(sk) <-- refcnt by btacceptenqueue() releasesock(sk) locksock(sk) sockput(sk) btacceptunlink(sk) sockput(sk) <-- last refcnt btacceptunlink(sk) <-- UAF Depending on the timing, the other thread could show up in the "Freed by task" part. Let's call l2capsockcleanuplisten() under locksock() in l2capsockrelease(). [0]: BUG: KASAN: slab-use-after-free in debugspinlockbefore kernel/locking/spinlockdebug.c:86 [inline] BUG: KASAN: slab-use-after-free in dorawspinlock+0x26f/0x2b0 kernel/locking/spinlockdebug.c:115 Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995 CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x116/0x1f0 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xcd/0x630 mm/kasan/report.c:482 kasanreport+0xe0/0x110 mm/kasan/report.c:595 debugspinlockbefore kernel/locking/spinlockdebug.c:86 [inline] dorawspinlock+0x26f/0x2b0 kernel/locking/spinlockdebug.c:115 spinlockbh include/linux/spinlock.h:356 [inline] releasesock+0x21/0x220 net/core/sock.c:3746 btacceptdequeue+0x505/0x600 net/bluetooth/afbluetooth.c:312 l2capsockcleanuplisten+0x5c/0x2a0 net/bluetooth/l2capsock.c:1451 l2capsockrelease+0x5c/0x210 net/bluetooth/l2capsock.c:1425 _sockrelease+0xb3/0x270 net/socket.c:649 sockclose+0x1c/0x30 net/socket.c:1439 _fput+0x3ff/0xb70 fs/filetable.c:468 taskworkrun+0x14d/0x240 kernel/taskwork.c:227 resumeusermodework include/linux/resumeusermode.h:50 [inline] exittousermodeloop+0xeb/0x110 kernel/entry/common.c:43 exittousermodeprepare include/linux/irq-entry-common.h:225 [inline] syscallexittousermodework include/linux/entry-common.h:175 [inline] syscallexittousermode include/linux/entry-common.h:210 [inline] dosyscall64+0x3f6/0x4c0 arch/x86/entry/syscall64.c:100 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f2accf8ebe9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIGRAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490 </TASK> Allocated by task 5326: kasansavestack+0x33/0x60 mm/kasan/common.c:47 kasansavetrack+0x14/0x30 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:388 [inline] _kasankmalloc+0xaa/0xb0 mm/kasan/common.c:405 kasankmalloc include/linux/kasan.h:260 [inline] _dokmallocnode mm/slub.c:4365 [inline] _kmalloc_nopro ---truncated---