Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete[EOL][EOL]This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to[EOL]avoid crashes like bellow:[EOL][EOL]==================================================================[EOL]BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406[EOL]Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341[EOL][EOL]CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full)[EOL]Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014[EOL]Workqueue: hci0 hci_cmd_sync_work[EOL]Call Trace:[EOL] <TASK>[EOL] dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120[EOL] print_address_description mm/kasan/report.c:408 [inline][EOL] print_report+0xd2/0x2b0 mm/kasan/report.c:521[EOL] kasan_report+0x118/0x150 mm/kasan/report.c:634[EOL] mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406[EOL] hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334[EOL] process_one_work kernel/workqueue.c:3238 [inline][EOL] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321[EOL] worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402[EOL] kthread+0x711/0x8a0 kernel/kthread.c:464[EOL] ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148[EOL] ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245[EOL] </TASK>[EOL][EOL]Allocated by task 5987:[EOL] kasan_save_stack mm/kasan/common.c:47 [inline][EOL] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68[EOL] poison_kmalloc_redzone mm/kasan/common.c:377 [inline][EOL] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394[EOL] kasan_kmalloc include/linux/kasan.h:260 [inline][EOL] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358[EOL] kmalloc_noprof include/linux/slab.h:905 [inline][EOL] kzalloc_noprof include/linux/slab.h:1039 [inline][EOL] mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252[EOL] mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279[EOL] remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454[EOL] hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719[EOL] hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839[EOL] sock_sendmsg_nosec net/socket.c:712 [inline][EOL] __sock_sendmsg+0x219/0x270 net/socket.c:727[EOL] sock_write_iter+0x258/0x330 net/socket.c:1131[EOL] new_sync_write fs/read_write.c:593 [inline][EOL] vfs_write+0x548/0xa90 fs/read_write.c:686[EOL] ksys_write+0x145/0x250 fs/read_write.c:738[EOL] do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline][EOL] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94[EOL] entry_SYSCALL_64_after_hwframe+0x77/0x7f[EOL][EOL]Freed by task 5989:[EOL] kasan_save_stack mm/kasan/common.c:47 [inline][EOL] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68[EOL] kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576[EOL] poison_slab_object mm/kasan/common.c:247 [inline][EOL] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264[EOL] kasan_slab_free include/linux/kasan.h:233 [inline][EOL] slab_free_hook mm/slub.c:2380 [inline][EOL] slab_free mm/slub.c:4642 [inline][EOL] kfree+0x18e/0x440 mm/slub.c:4841[EOL] mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242[EOL] mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366[EOL] hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314[EOL] __sys_bind_socket net/socket.c:1810 [inline][EOL] __sys_bind+0x2c3/0x3e0 net/socket.c:1841[EOL] __do_sys_bind net/socket.c:1846 [inline][EOL] __se_sys_bind net/socket.c:1844 [inline][EOL] __x64_sys_bind+0x7a/0x90 net/socket.c:1844[EOL] do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline][EOL] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94[EOL] entry_SYSCALL_64_after_hwframe+0x77/0x7f

CREATE(Triage):(User=lchen-cn) [CVE-2025-38118 (https://nvd.nist.gov/vuln/detail/CVE-2025-38118)