CVE-2024-53208

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: Fix slab-use-after-free Read in setpoweredsync

This fixes the following crash:

================================================================== BUG: KASAN: slab-use-after-free in setpoweredsync+0x3a/0xc0 net/bluetooth/mgmt.c:1353 Read of size 8 at addr ffff888029b4dd18 by task kworker/u9:0/54

CPU: 1 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-01155-gf723224742fc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: hci0 hcicmdsyncwork Call Trace: <TASK> _dumpstack lib/dumpstack.c:93 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:119 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0x169/0x550 mm/kasan/report.c:488 q kasanreport+0x143/0x180 mm/kasan/report.c:601 setpoweredsync+0x3a/0xc0 net/bluetooth/mgmt.c:1353 hcicmdsyncwork+0x22b/0x400 net/bluetooth/hcisync.c:328 processonework kernel/workqueue.c:3231 [inline] processscheduledworks+0xa2c/0x1830 kernel/workqueue.c:3312 workerthread+0x86d/0xd10 kernel/workqueue.c:3389 kthread+0x2f0/0x390 kernel/kthread.c:389 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:244 </TASK>

Allocated by task 5247: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:370 [inline] _kasankmalloc+0x98/0xb0 mm/kasan/common.c:387 kasankmalloc include/linux/kasan.h:211 [inline] _kmalloccachenoprof+0x19c/0x2c0 mm/slub.c:4193 kmallocnoprof include/linux/slab.h:681 [inline] kzallocnoprof include/linux/slab.h:807 [inline] mgmtpendingnew+0x65/0x250 net/bluetooth/mgmtutil.c:269 mgmtpendingadd+0x36/0x120 net/bluetooth/mgmtutil.c:296 setpowered+0x3cd/0x5e0 net/bluetooth/mgmt.c:1394 hcimgmtcmd+0xc47/0x11d0 net/bluetooth/hcisock.c:1712 hcisocksendmsg+0x7b8/0x11c0 net/bluetooth/hcisock.c:1832 socksendmsgnosec net/socket.c:730 [inline] _socksendmsg+0x221/0x270 net/socket.c:745 sockwriteiter+0x2dd/0x400 net/socket.c:1160 newsyncwrite fs/readwrite.c:497 [inline] vfswrite+0xa72/0xc90 fs/readwrite.c:590 ksyswrite+0x1a0/0x2c0 fs/readwrite.c:643 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f

Freed by task 5246: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 kasansavefreeinfo+0x40/0x50 mm/kasan/generic.c:579 poisonslabobject+0xe0/0x150 mm/kasan/common.c:240 _kasanslabfree+0x37/0x60 mm/kasan/common.c:256 kasanslabfree include/linux/kasan.h:184 [inline] slabfreehook mm/slub.c:2256 [inline] slabfree mm/slub.c:4477 [inline] kfree+0x149/0x360 mm/slub.c:4598 settingsrsp+0x2bc/0x390 net/bluetooth/mgmt.c:1443 mgmtpendingforeach+0xd1/0x130 net/bluetooth/mgmtutil.c:259 _mgmtpoweroff+0x112/0x420 net/bluetooth/mgmt.c:9455 hcidevclosesync+0x665/0x11a0 net/bluetooth/hcisync.c:5191 hcidevdoclose net/bluetooth/hcicore.c:483 [inline] hcidevclose+0x112/0x210 net/bluetooth/hcicore.c:508 sockdoioctl+0x158/0x460 net/socket.c:1222 sockioctl+0x629/0x8e0 net/socket.c:1341 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:907 [inline] _sesysioctl+0xfc/0x170 fs/ioctl.c:893 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83gv entrySYSCALL64after_hwframe+0x77/0x7f