CVE-2025-40309

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SCO: Fix UAF on scoconnfree

BUG: KASAN: slab-use-after-free in scoconnfree net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in krefput include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in scoconn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352

CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hcicmdsyncwork Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x10b/0x170 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0x191/0x550 mm/kasan/report.c:482 kasanreport+0xc4/0x100 mm/kasan/report.c:595 scoconnfree net/bluetooth/sco.c:87 [inline] krefput include/linux/kref.h:65 [inline] scoconnput+0xdd/0x410 net/bluetooth/sco.c:107 scoconnectcfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hciconnectcfm include/net/bluetooth/hcicore.h:2082 [inline] hciconnfailed+0x20a/0x2e0 net/bluetooth/hciconn.c:1313 hciconnunlink+0x55f/0x810 net/bluetooth/hciconn.c:1121 hciconndel+0xb6/0x1110 net/bluetooth/hciconn.c:1147 hciabortconnsync+0x8c5/0xbb0 net/bluetooth/hcisync.c:5689 hcicmdsyncwork+0x281/0x380 net/bluetooth/hcisync.c:332 processonework kernel/workqueue.c:3236 [inline] processscheduledworks+0x77e/0x1040 kernel/workqueue.c:3319 workerthread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 retfromfork+0x13a/0x1e0 arch/x86/kernel/process.c:148 retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK>

Allocated by task 31370: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x30/0x70 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:388 [inline] _kasankmalloc+0x82/0x90 mm/kasan/common.c:405 kasankmalloc include/linux/kasan.h:260 [inline] _dokmallocnode mm/slub.c:4382 [inline] _kmallocnoprof+0x22f/0x390 mm/slub.c:4394 kmallocnoprof include/linux/slab.h:909 [inline] skprotalloc+0xae/0x220 net/core/sock.c:2239 skalloc+0x34/0x5a0 net/core/sock.c:2295 btsockalloc+0x3c/0x330 net/bluetooth/afbluetooth.c:151 scosockalloc net/bluetooth/sco.c:562 [inline] scosockcreate+0xc0/0x350 net/bluetooth/sco.c:593 btsockcreate+0x161/0x3b0 net/bluetooth/afbluetooth.c:135 _sockcreate+0x3ad/0x780 net/socket.c:1589 sockcreate net/socket.c:1647 [inline] _syssocketcreate net/socket.c:1684 [inline] _syssocket+0xd5/0x330 net/socket.c:1731 _dosyssocket net/socket.c:1745 [inline] _sesyssocket net/socket.c:1743 [inline] _x64syssocket+0x7a/0x90 net/socket.c:1743 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xc7/0x240 arch/x86/entry/syscall64.c:94 entrySYSCALL64after_hwframe+0x77/0x7f

Freed by task 31374: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x30/0x70 mm/kasan/common.c:68 kasansavefreeinfo+0x40/0x50 mm/kasan/generic.c:576 poisonslabobject mm/kasan/common.c:243 [inline] _kasanslabfree+0x3d/0x50 mm/kasan/common.c:275 kasanslabfree include/linux/kasan.h:233 [inline] slabfreehook mm/slub.c:2428 [inline] slabfree mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 skprotfree net/core/sock.c:2278 [inline] _skdestruct+0x4aa/0x630 net/core/sock.c:2373 scosockrelease+0x2ad/0x300 net/bluetooth/sco.c:1333 _sockrelease net/socket.c:649 [inline] sockclose+0xb8/0x230 net/socket.c:1439 _fput+0x3d1/0x9e0 fs/filetable.c:468 taskworkrun+0x206/0x2a0 kernel/taskwork.c:227 getsignal+0x1201/0x1410 kernel/signal.c:2807 archdosignalorrestart+0x34/0x740 arch/x86/kernel/signal.c:337 exittousermodeloop+0x68/0xc0 kernel/entry/common.c:40 exittousermodeprepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---