CVE-2023-53046

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix race condition in hcicmdsync_clear

There is a potential race condition in hcicmdsyncwork and hcicmdsyncclear, and could lead to use-after-free. For instance, hcicmdsyncwork is added to the 'reqworkqueue' after cancelworksync The entry of 'cmdsyncworklist' may be freed in hcicmdsyncclear, and causing kernel panic when it is used in 'hcicmdsync_work'.

Here's the call trace:

dumpstacklvl+0x49/0x63 printreport.cold+0x5e/0x5d3 ? hcicmdsyncwork+0x282/0x320 kasanreport+0xaa/0x120 ? hcicmdsyncwork+0x282/0x320 _asanreportload8noabort+0x14/0x20 hcicmdsyncwork+0x282/0x320 processonework+0x77b/0x11c0 ? _rawspinlockirq+0x8e/0xf0 workerthread+0x544/0x1180 ? pollidle+0x1e0/0x1e0 kthread+0x285/0x320 ? processonework+0x11c0/0x11c0 ? kthreadcompleteandexit+0x30/0x30 retfrom_fork+0x22/0x30 </TASK>

Allocated by task 266: kasansavestack+0x26/0x50 _kasankmalloc+0xae/0xe0 kmemcachealloctrace+0x191/0x350 hcicmdsyncqueue+0x97/0x2b0 hciupdatepassivescan+0x176/0x1d0 leconncompleteevt+0x1b5/0x1a00 hcileconncompleteevt+0x234/0x340 hcilemetaevt+0x231/0x4e0 hcieventpacket+0x4c5/0xf00 hcirxwork+0x37d/0x880 processonework+0x77b/0x11c0 workerthread+0x544/0x1180 kthread+0x285/0x320 retfromfork+0x22/0x30

Freed by task 269: kasansavestack+0x26/0x50 kasansettrack+0x25/0x40 kasansetfreeinfo+0x24/0x40 kasanslabfree+0x176/0x1c0 _kasanslabfree+0x12/0x20 slabfreefreelisthook+0x95/0x1a0 kfree+0xba/0x2f0 hcicmdsyncclear+0x14c/0x210 hciunregisterdev+0xff/0x440 vhcirelease+0x7b/0xf0 _fput+0x1f3/0x970 fput+0xe/0x20 taskworkrun+0xd4/0x160 doexit+0x8b0/0x22a0 dogroupexit+0xba/0x2a0 getsignal+0x1e4a/0x25b0 archdosignalorrestart+0x93/0x1f80 exittousermodeprepare+0xf5/0x1a0 syscallexittousermode+0x26/0x50 retfromfork+0x15/0x30