CVE-2025-39860

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix use-after-free in l2capsockcleanup_listen()

syzbot reported the splat below without a repro.

In the splat, a single thread calling btacceptdequeue() freed sk and touched it after that.

The root cause would be the racy l2capsockcleanup_listen() call added by the cited commit.

btacceptdequeue() is called under locksock() except for l2capsock_release().

Two threads could see the same socket during the list iteration in btacceptdequeue():

CPU1 CPU2 (close()) ---- ---- sockhold(sk) sockhold(sk); locksock(sk) <-- block close() sockput(sk) btacceptunlink(sk) sockput(sk) <-- refcnt by btacceptenqueue() releasesock(sk) locksock(sk) sockput(sk) btacceptunlink(sk) sockput(sk) <-- last refcnt btaccept_unlink(sk) <-- UAF

Depending on the timing, the other thread could show up in the "Freed by task" part.

Let's call l2capsockcleanuplisten() under locksock() in l2capsockrelease().

BUG: KASAN: slab-use-after-free in dorawspinlock+0x26f/0x2b0 kernel/locking/spinlockdebug.c:115 Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995 CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x116/0x1f0 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xcd/0x630 mm/kasan/report.c:482 kasanreport+0xe0/0x110 mm/kasan/report.c:595 debugspinlockbefore kernel/locking/spinlockdebug.c:86 [inline] dorawspinlock+0x26f/0x2b0 kernel/locking/spinlockdebug.c:115 spinlockbh include/linux/spinlock.h:356 [inline] releasesock+0x21/0x220 net/core/sock.c:3746 btacceptdequeue+0x505/0x600 net/bluetooth/afbluetooth.c:312 l2capsockcleanuplisten+0x5c/0x2a0 net/bluetooth/l2capsock.c:1451 l2capsockrelease+0x5c/0x210 net/bluetooth/l2capsock.c:1425 _sockrelease+0xb3/0x270 net/socket.c:649 sockclose+0x1c/0x30 net/socket.c:1439 _fput+0x3ff/0xb70 fs/filetable.c:468 taskworkrun+0x14d/0x240 kernel/taskwork.c:227 resumeusermodework include/linux/resumeusermode.h:50 [inline] exittousermodeloop+0xeb/0x110 kernel/entry/common.c:43 exittousermodeprepare include/linux/irq-entry-common.h:225 [inline] syscallexittousermodework include/linux/entry-common.h:175 [inline] syscallexittousermode include/linux/entry-common.h:210 [inline] dosyscall64+0x3f6/0x4c0 arch/x86/entry/syscall64.c:100 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f2accf8ebe9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490 </TASK>

Allocated by task 5326: kasansavestack+0x33/0x60 mm/kasan/common.c:47 kasansavetrack+0x14/0x30 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:388 [inline] _kasankmalloc+0xaa/0xb0 mm/kasan/common.c:405 kasankmalloc include/linux/kasan.h:260 [inline] _dokmallocnode mm/slub.c:4365 [inline] _kmallocnopro ---truncated---