CVE-2025-38118

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: Fix UAF on mgmtremoveadvmonitorcomplete

This reworks MGMTOPREMOVEADVMONITOR to not use mgmtpendingadd to avoid crashes like bellow:

================================================================== BUG: KASAN: slab-use-after-free in mgmtremoveadvmonitorcomplete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341

CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: hci0 hcicmdsyncwork Call Trace: <TASK> dumpstacklvl+0x189/0x250 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:408 [inline] printreport+0xd2/0x2b0 mm/kasan/report.c:521 kasanreport+0x118/0x150 mm/kasan/report.c:634 mgmtremoveadvmonitorcomplete+0xe5/0x540 net/bluetooth/mgmt.c:5406 hcicmdsyncwork+0x261/0x3a0 net/bluetooth/hcisync.c:334 processonework kernel/workqueue.c:3238 [inline] processscheduledworks+0xade/0x17b0 kernel/workqueue.c:3321 workerthread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 retfromfork+0x3fc/0x770 arch/x86/kernel/process.c:148 retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK>

Allocated by task 5987: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:377 [inline] _kasankmalloc+0x93/0xb0 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] _kmalloccachenoprof+0x230/0x3d0 mm/slub.c:4358 kmallocnoprof include/linux/slab.h:905 [inline] kzallocnoprof include/linux/slab.h:1039 [inline] mgmtpendingnew+0x65/0x240 net/bluetooth/mgmtutil.c:252 mgmtpendingadd+0x34/0x120 net/bluetooth/mgmtutil.c:279 removeadvmonitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454 hcimgmtcmd+0x9c9/0xef0 net/bluetooth/hcisock.c:1719 hcisocksendmsg+0x6ca/0xef0 net/bluetooth/hcisock.c:1839 socksendmsgnosec net/socket.c:712 [inline] _socksendmsg+0x219/0x270 net/socket.c:727 sockwriteiter+0x258/0x330 net/socket.c:1131 newsyncwrite fs/readwrite.c:593 [inline] vfswrite+0x548/0xa90 fs/readwrite.c:686 ksyswrite+0x145/0x250 fs/readwrite.c:738 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xfa/0x3b0 arch/x86/entry/syscall64.c:94 entrySYSCALL64after_hwframe+0x77/0x7f

Freed by task 5989: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:68 kasansavefreeinfo+0x46/0x50 mm/kasan/generic.c:576 poisonslabobject mm/kasan/common.c:247 [inline] _kasanslabfree+0x62/0x70 mm/kasan/common.c:264 kasanslabfree include/linux/kasan.h:233 [inline] slabfreehook mm/slub.c:2380 [inline] slabfree mm/slub.c:4642 [inline] kfree+0x18e/0x440 mm/slub.c:4841 mgmtpendingforeach+0xc9/0x120 net/bluetooth/mgmtutil.c:242 mgmtindexremoved+0x10d/0x2f0 net/bluetooth/mgmt.c:9366 hcisockbind+0xbe9/0x1000 net/bluetooth/hcisock.c:1314 _sysbindsocket net/socket.c:1810 [inline] _sysbind+0x2c3/0x3e0 net/socket.c:1841 _dosysbind net/socket.c:1846 [inline] _sesysbind net/socket.c:1844 [inline] _x64sysbind+0x7a/0x90 net/socket.c:1844 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xfa/0x3b0 arch/x86/entry/syscall64.c:94 entrySYSCALL64after_hwframe+0x77/0x7f