CVE-2025-39983

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hcievent: Fix UAF in hciconntxdequeue

This fixes the following UAF caused by not properly locking hdev when processing HCIEVNUMCOMPPKTS:

BUG: KASAN: slab-use-after-free in hciconntxdequeue+0x1be/0x220 net/bluetooth/hciconn.c:3036 Read of size 4 at addr ffff8880740f0940 by task kworker/u11:0/54

CPU: 1 UID: 0 PID: 54 Comm: kworker/u11:0 Not tainted 6.16.0-rc7 #3 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Workqueue: hci1 hcirxwork Call Trace: <TASK> dumpstacklvl+0x189/0x250 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xca/0x230 mm/kasan/report.c:480 kasanreport+0x118/0x150 mm/kasan/report.c:593 hciconntxdequeue+0x1be/0x220 net/bluetooth/hciconn.c:3036 hcinumcomppktsevt+0x1c8/0xa50 net/bluetooth/hcievent.c:4404 hcieventfunc net/bluetooth/hcievent.c:7477 [inline] hcieventpacket+0x7e0/0x1200 net/bluetooth/hcievent.c:7531 hcirxwork+0x46a/0xe80 net/bluetooth/hcicore.c:4070 processonework kernel/workqueue.c:3238 [inline] processscheduledworks+0xae1/0x17b0 kernel/workqueue.c:3321 workerthread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 retfromfork+0x3fc/0x770 arch/x86/kernel/process.c:148 retfromforkasm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry64.S:245 </TASK>

Allocated by task 54: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:377 [inline] _kasankmalloc+0x93/0xb0 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] _kmalloccachenoprof+0x230/0x3d0 mm/slub.c:4359 kmallocnoprof include/linux/slab.h:905 [inline] kzallocnoprof include/linux/slab.h:1039 [inline] _hciconnadd+0x233/0x1b30 net/bluetooth/hciconn.c:939 leconncompleteevt+0x3d6/0x1220 net/bluetooth/hcievent.c:5628 hcileenhconncompleteevt+0x189/0x470 net/bluetooth/hcievent.c:5794 hcieventfunc net/bluetooth/hcievent.c:7474 [inline] hcieventpacket+0x78c/0x1200 net/bluetooth/hcievent.c:7531 hcirxwork+0x46a/0xe80 net/bluetooth/hcicore.c:4070 processonework kernel/workqueue.c:3238 [inline] processscheduledworks+0xae1/0x17b0 kernel/workqueue.c:3321 workerthread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 retfromfork+0x3fc/0x770 arch/x86/kernel/process.c:148 retfromforkasm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry64.S:245

Freed by task 9572: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:68 kasansavefreeinfo+0x46/0x50 mm/kasan/generic.c:576 poisonslabobject mm/kasan/common.c:247 [inline] _kasanslabfree+0x62/0x70 mm/kasan/common.c:264 kasanslabfree include/linux/kasan.h:233 [inline] slabfreehook mm/slub.c:2381 [inline] slabfree mm/slub.c:4643 [inline] kfree+0x18e/0x440 mm/slub.c:4842 devicerelease+0x9c/0x1c0 kobjectcleanup lib/kobject.c:689 [inline] kobjectrelease lib/kobject.c:720 [inline] krefput include/linux/kref.h:65 [inline] kobjectput+0x22b/0x480 lib/kobject.c:737 hciconncleanup net/bluetooth/hciconn.c:175 [inline] hciconndel+0x8ff/0xcb0 net/bluetooth/hciconn.c:1173 hciabortconnsync+0x5d1/0xdf0 net/bluetooth/hcisync.c:5689 hcicmdsyncwork+0x210/0x3a0 net/bluetooth/hcisync.c:332 processonework kernel/workqueue.c:3238 [inline] processscheduledworks+0xae1/0x17b0 kernel/workqueue.c:3321 workerthread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 retfromfork+0x3fc/0x770 arch/x86/kernel/process.c:148 retfromforkasm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245