CVE-2025-38473

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix null-ptr-deref in l2capsockresume_cb()

syzbot reported null-ptr-deref in l2capsockresume_cb(). [0]

l2capsockresumecb() has a similar problem that was fixed by commit 1bff51ea59a9 ("Bluetooth: fix use-after-free error in locksock_nested()").

Since both l2capsockkill() and l2capsockresumecb() are executed under l2capsockresumecb(), we can avoid the issue simply by checking if chan->data is NULL.

Let's not access to the killed socket in l2capsockresume_cb().

BUG: KASAN: null-ptr-deref in clearbit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] BUG: KASAN: null-ptr-deref in l2capsockresumecb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52

CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: hci0 hcirxwork Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C) __dumpstack+0x30/0x40 lib/dumpstack.c:94 dumpstacklvl+0xd8/0x12c lib/dumpstack.c:120 printreport+0x58/0x84 mm/kasan/report.c:524 kasanreport+0xb0/0x110 mm/kasan/report.c:634 checkregioninline mm/kasan/generic.c:-1 [inline] kasancheck_range+0x264/0x2a4 mm/kasan/generic.c:189 _kasancheckwrite+0x20/0x30 mm/kasan/shadow.c:37 instrumentatomicwrite include/linux/instrumented.h:82 [inline] clearbit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] l2capsockresumecb+0xb4/0x17c net/bluetooth/l2capsock.c:1711 l2capsecuritycfm+0x524/0xea0 net/bluetooth/l2capcore.c:7357 hciauthcfm include/net/bluetooth/hcicore.h:2092 [inline] hciauthcompleteevt+0x2e8/0xa4c net/bluetooth/hcievent.c:3514 hcieventfunc net/bluetooth/hcievent.c:7511 [inline] hcieventpacket+0x650/0xe9c net/bluetooth/hcievent.c:7565 hcirxwork+0x320/0xb18 net/bluetooth/hcicore.c:4070 processonework+0x7e8/0x155c kernel/workqueue.c:3238 processscheduledworks kernel/workqueue.c:3321 [inline] workerthread+0x958/0xed8 kernel/workqueue.c:3402 kthread+0x5fc/0x75c kernel/kthread.c:464 retfromfork+0x10/0x20 arch/arm64/kernel/entry.S:847