CVE-2025-38117

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: Protect mgmt_pending list with its own lock

This uses a mutex to protect from concurrent access of mgmt_pending list which can cause crashes like:

================================================================== BUG: KASAN: slab-use-after-free in hcisockgetchannel+0x60/0x68 net/bluetooth/hcisock.c:91 Read of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318

CPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: showstack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) _dumpstack+0x30/0x40 lib/dumpstack.c:94 dumpstacklvl+0xd8/0x12c lib/dumpstack.c:120 printaddressdescription+0xa8/0x254 mm/kasan/report.c:408 printreport+0x68/0x84 mm/kasan/report.c:521 kasanreport+0xb0/0x110 mm/kasan/report.c:634 _asanreportload2noabort+0x20/0x2c mm/kasan/reportgeneric.c:379 hcisockgetchannel+0x60/0x68 net/bluetooth/hcisock.c:91 mgmtpendingfind+0x7c/0x140 net/bluetooth/mgmtutil.c:223 pendingfind net/bluetooth/mgmt.c:947 [inline] removeadvmonitor+0x44/0x1a4 net/bluetooth/mgmt.c:5445 hcimgmtcmd+0x780/0xc00 net/bluetooth/hcisock.c:1712 hcisocksendmsg+0x544/0xbb0 net/bluetooth/hcisock.c:1832 socksendmsgnosec net/socket.c:712 [inline] _socksendmsg net/socket.c:727 [inline] sockwriteiter+0x25c/0x378 net/socket.c:1131 newsyncwrite fs/readwrite.c:591 [inline] vfswrite+0x62c/0x97c fs/readwrite.c:684 ksyswrite+0x120/0x210 fs/readwrite.c:736 _dosyswrite fs/readwrite.c:747 [inline] _sesyswrite fs/readwrite.c:744 [inline] _arm64syswrite+0x7c/0x90 fs/readwrite.c:744 _invokesyscall arch/arm64/kernel/syscall.c:35 [inline] invokesyscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0svccommon+0x130/0x23c arch/arm64/kernel/syscall.c:132 doel0svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t64synchandler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t64sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Allocated by task 7037: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x40/0x78 mm/kasan/common.c:68 kasansaveallocinfo+0x44/0x54 mm/kasan/generic.c:562 poisonkmallocredzone mm/kasan/common.c:377 [inline] _kasankmalloc+0x9c/0xb4 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] _dokmallocnode mm/slub.c:4327 [inline] _kmallocnoprof+0x2fc/0x4c8 mm/slub.c:4339 kmallocnoprof include/linux/slab.h:909 [inline] skprotalloc+0xc4/0x1f0 net/core/sock.c:2198 skalloc+0x44/0x3ac net/core/sock.c:2254 btsockalloc+0x4c/0x300 net/bluetooth/afbluetooth.c:148 hcisockcreate+0xa8/0x194 net/bluetooth/hcisock.c:2202 btsockcreate+0x14c/0x24c net/bluetooth/afbluetooth.c:132 _sockcreate+0x43c/0x91c net/socket.c:1541 sockcreate net/socket.c:1599 [inline] _syssocketcreate net/socket.c:1636 [inline] _syssocket+0xd4/0x1c0 net/socket.c:1683 _dosyssocket net/socket.c:1697 [inline] _sesyssocket net/socket.c:1695 [inline] _arm64syssocket+0x7c/0x94 net/socket.c:1695 _invokesyscall arch/arm64/kernel/syscall.c:35 [inline] invokesyscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0svccommon+0x130/0x23c arch/arm64/kernel/syscall.c:132 doel0svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t64synchandler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t64sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Freed by task 6607: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x40/0x78 mm/kasan/common.c:68 kasansavefreeinfo+0x58/0x70 mm/kasan/generic.c:576 poisonslabobject mm/kasan/common.c:247 [inline] _kasanslabfree+0x68/0x88 mm/kasan/common.c:264 kasanslabfree include/linux/kasan.h:233 [inline ---truncated---