CVE-2024-53237

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: fix use-after-free in deviceforeach_child()

Syzbot has reported the following KASAN splat:

BUG: KASAN: slab-use-after-free in deviceforeach_child+0x18f/0x1a0 Read of size 8 at addr ffff88801f605308 by task kbnepd bnep0/4980

CPU: 0 UID: 0 PID: 4980 Comm: kbnepd bnep0 Not tainted 6.12.0-rc4-00161-gae90f6a6170d #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x100/0x190 ? deviceforeachchild+0x18f/0x1a0 printreport+0x13a/0x4cb ? __virtaddrvalid+0x5e/0x590 ? __physaddr+0xc6/0x150 ? deviceforeachchild+0x18f/0x1a0 kasanreport+0xda/0x110 ? deviceforeachchild+0x18f/0x1a0 ? __pfxdevmemallocnoio+0x10/0x10 deviceforeachchild+0x18f/0x1a0 ? __pfxdeviceforeachchild+0x10/0x10 pmruntimesetmemallocnoio+0xf2/0x180 netdevunregisterkobject+0x1ed/0x270 unregisternetdevicemany_notify+0x123c/0x1d80 ? __mutextrylockcommon+0xde/0x250 ? __pfxunregisternetdevicemanynotify+0x10/0x10 ? tracecontentionend+0xe6/0x140 ? __mutex_lock+0x4e7/0x8f0 ? __pfxlockacquire.part.0+0x10/0x10 ? rcuiswatching+0x12/0xc0 ? unregisternetdev+0x12/0x30 unregisternetdevice_queue+0x30d/0x3f0 ? __pfxunregisternetdevice_queue+0x10/0x10 ? __pfxdownwrite+0x10/0x10 unregisternetdev+0x1c/0x30 bnepsession+0x1fb3/0x2ab0 ? __pfxbnepsession+0x10/0x10 ? __pfxlockrelease+0x10/0x10 ? __pfxwokenwake_function+0x10/0x10 ? __kthread_parkme+0x132/0x200 ? __pfxbnepsession+0x10/0x10 ? kthread+0x13a/0x370 ? __pfxbnepsession+0x10/0x10 kthread+0x2b7/0x370 ? __pfxkthread+0x10/0x10 retfrom_fork+0x48/0x80 ? __pfxkthread+0x10/0x10 retfromforkasm+0x1a/0x30 </TASK>

Allocated by task 4974: kasansavestack+0x30/0x50 kasansavetrack+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 __kmallocnoprof+0x1d1/0x440 hciallocdevpriv+0x1d/0x2820 _vhcicreatedevice+0xef/0x7d0 vhciwrite+0x2c7/0x480 vfswrite+0x6a0/0xfc0 ksyswrite+0x12f/0x260 dosyscall64+0xc7/0x250 entrySYSCALL64afterhwframe+0x77/0x7f

Freed by task 4979: kasansavestack+0x30/0x50 kasansavetrack+0x14/0x30 kasansavefree_info+0x3b/0x60 __kasanslabfree+0x4f/0x70 kfree+0x141/0x490 hcireleasedev+0x4d9/0x600 bthostrelease+0x6a/0xb0 devicerelease+0xa4/0x240 kobjectput+0x1ec/0x5a0 putdevice+0x1f/0x30 vhcirelease+0x81/0xf0 __fput+0x3f6/0xb30 taskworkrun+0x151/0x250 doexit+0xa79/0x2c30 dogroupexit+0xd5/0x2a0 getsignal+0x1fcd/0x2210 archdosignalorrestart+0x93/0x780 syscallexittousermode+0x140/0x290 dosyscall64+0xd4/0x250 entrySYSCALL64afterhwframe+0x77/0x7f

In 'hciconndelsysfs()', 'deviceunregister()' may be called when an underlying (kobject) reference counter is greater than 1. This means that reparenting (happened when the device is actually freed) is delayed and, during that delay, parent controller device (hciX) may be deleted. Since the latter may create a dangling pointer to freed parent, avoid that scenario by reparenting to NULL explicitly.