In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()
Extend a critical section to prevent chan from early freeing. Also make the l2cap_connect() return type void. Nothing is using the returned value but it is ugly to return a potentially freed pointer. Making it void will help with backports because earlier kernels did use the return value. Now the compile will break for kernels where this patch is not a complete fix.
Call stack summary:
[use] l2capbredrsigcmd l2capconnect ┌ mutexlock(&conn->chanlock); │ chan = pchan->ops->newconnection(pchan); <- alloc chan │ _l2capchanadd(conn, chan); │ l2capchanhold(chan); │ listadd(&chan->list, &conn->chanl); ... (1) └ mutexunlock(&conn->chanlock); chan->conf_state ... (4) <- use after free
[free] l2capconndel ┌ mutexlock(&conn->chanlock); │ foreach chan in conn->chanl: ... (2) │ l2capchanput(chan); │ l2capchandestroy │ kfree(chan) ... (3) <- chan freed └ mutexunlock(&conn->chan_lock);
================================================================== BUG: KASAN: slab-use-after-free in instrumentatomicread include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in testbit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-use-after-free in l2capconnect+0xa67/0x11a0 net/bluetooth/l2capcore.c:4260 Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311