CVE-2022-48878

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_qca: Fix driver shutdown on closed serdev

The driver shutdown callback (which sends EDLSOCRESET to the device over serdev) should not be invoked when HCI device is not open (e.g. if hcidevopensync() failed), because the serdev and its TTY are not open either. Also skip this step if device is powered off (qcapower_shutdown()).

The shutdown callback causes use-after-free during system reboot with Qualcomm Atheros Bluetooth:

Unable to handle kernel paging request at virtual address 0072662f67726fd7 ... CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W 6.1.0-rt5-00325-g8a5f56bcfcca #8 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: ttydriverflushbuffer+0x4/0x30 serdevdevicewriteflush+0x24/0x34 qcaserdevshutdown+0x80/0x130 [hciuart] deviceshutdown+0x15c/0x260 kernel_restart+0x48/0xac

KASAN report:

BUG: KASAN: use-after-free in ttydriverflush_buffer+0x1c/0x50 Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1

CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: dumpbacktrace.part.0+0xdc/0xf0 showstack+0x18/0x30 dumpstacklvl+0x68/0x84 printreport+0x188/0x488 kasanreport+0xa4/0xf0 _asanload8+0x80/0xac ttydriverflushbuffer+0x1c/0x50 ttyportwriteflush+0x34/0x44 serdevdevicewriteflush+0x48/0x60 qcaserdevshutdown+0x124/0x274 deviceshutdown+0x1e8/0x350 kernelrestart+0x48/0xb0 _dosysreboot+0x244/0x2d0 _arm64sysreboot+0x54/0x70 invokesyscall+0x60/0x190 el0svccommon.constprop.0+0x7c/0x160 doel0svc+0x44/0xf0 el0svc+0x2c/0x6c el0t64synchandler+0xbc/0x140 el0t64_sync+0x190/0x194