In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: call disconnect callback before deleting conn

In hcicsdisconnect, we do hciconndel even if disconnection failed.

ISO, L2CAP and SCO connections refer to the hciconn without hciconnget, so disconncfm must be called so they can clean up their conn, otherwise use-after-free occurs.

ISO:

isosockconnect:880: sk 00000000eabd6557 isoconnectcis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da ... isoconnadd:140: hcon 000000001696f1fd conn 00000000b6251073 hcidevput:1487: hci0 orig refcnt 17 _isochanadd:214: conn 00000000b6251073 isosockcleartimer:117: sock 00000000eabd6557 state 3 ... hcirxwork:4085: hci0 Event packet hcieventpacket:7601: hci0: event 0x0f hcicmdstatusevt:4346: hci0: opcode 0x0406 hcicsdisconnect:2760: hci0: status 0x0c hcisentcmddata:3107: hci0 opcode 0x0406 hciconndel:1151: hci0 hcon 000000001696f1fd handle 2560 hciconnunlink:1102: hci0: hcon 000000001696f1fd hciconndrop:1451: hcon 00000000d8521aaf orig refcnt 2 hcichanlistflush:2780: hcon 000000001696f1fd hcidevput:1487: hci0 orig refcnt 21 hcidevput:1487: hci0 orig refcnt 20 hcireqcmdcomplete:3978: opcode 0x0406 status 0x0c ... <no iso* activity on sk/conn> ... isosock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557 BUG: kernel NULL pointer dereference, address: 0000000000000668 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014

RIP: 0010:isosocksendmsg (net/bluetooth/iso.c:1112) bluetooth

L2CAP:

hcicmdstatusevt:4359: hci0: opcode 0x0406 hcicsdisconnect:2760: hci0: status 0x0c hcisentcmddata:3085: hci0 opcode 0x0406 hciconndel:1151: hci0 hcon ffff88800c999000 handle 3585 hciconnunlink:1102: hci0: hcon ffff88800c999000 hcichanlistflush:2780: hcon ffff88800c999000 hcichandel:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280 ... BUG: KASAN: slab-use-after-free in hcisend_acl+0x2d/0x540 [bluetooth] Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175

CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x5b/0x90 printreport+0xcf/0x670 ? virtaddrvalid+0xf8/0x180 ? hcisendacl+0x2d/0x540 [bluetooth] kasanreport+0xa8/0xe0 ? hcisendacl+0x2d/0x540 [bluetooth] hcisendacl+0x2d/0x540 [bluetooth] ? _pfxlockacquire+0x10/0x10 l2capchansend+0x1fd/0x1300 [bluetooth] ? l2capsocksendmsg+0xf2/0x170 [bluetooth] ? pfxl2capchansend+0x10/0x10 [bluetooth] ? lockrelease+0x1d5/0x3c0 ? markheldlocks+0x1a/0x90 l2capsocksendmsg+0x100/0x170 [bluetooth] sockwriteiter+0x275/0x280 ? _pfxsockwriteiter+0x10/0x10 ? _pfxlockacquire+0x10/0x10 doiterreadvwritev+0x176/0x220 ? _pfxdoiterreadvwritev+0x10/0x10 ? findheldlock+0x83/0xa0 ? selinuxfilepermission+0x13e/0x210 doiterwrite+0xda/0x340 vfswritev+0x1b4/0x400 ? _pfxvfswritev+0x10/0x10 ? _seccompfilter+0x112/0x750 ? populateseccompdata+0x182/0x220 ? _fgetlight+0xdf/0x100 ? dowritev+0x19d/0x210 dowritev+0x19d/0x210 ? _pfxdowritev+0x10/0x10 ? markheldlocks+0x1a/0x90 dosyscall64+0x60/0x90 ? lockdephardirqsonprepare+0x149/0x210 ? dosyscall64+0x6c/0x90 ? lockdephardirqsonprepare+0x149/0x210 entrySYSCALL64afterhwframe+0x72/0xdc RIP: 0033:0x7ff45cb23e64 Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIGRAX: 0000000000000014 RAX: ffffffffffffffda RBX: ---truncated---