DEBIAN-CVE-2025-39981

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix possible UAFs This attemps to fix possible UAFs caused by struct mgmtpending being freed while still being processed like in the following trace, in order to fix mgmtpendingvalid is introduce and use to check if the mgmtpending hasn't been removed from the pending list, on the complete callbacks it is used to check and in addtion remove the cmd from the list while holding mgmtpendinglock to avoid TOCTOU problems since if the cmd is left on the list it can still be accessed and freed. BUG: KASAN: slab-use-after-free in mgmtaddadvpatternsmonitorsync+0x35/0x50 net/bluetooth/mgmt.c:5223 Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55 CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Workqueue: hci0 hcicmdsyncwork Call Trace: <TASK> dumpstacklvl+0x189/0x250 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xca/0x240 mm/kasan/report.c:482 kasanreport+0x118/0x150 mm/kasan/report.c:595 mgmtaddadvpatternsmonitorsync+0x35/0x50 net/bluetooth/mgmt.c:5223 hcicmdsyncwork+0x210/0x3a0 net/bluetooth/hcisync.c:332 processonework kernel/workqueue.c:3238 [inline] processscheduledworks+0xade/0x17b0 kernel/workqueue.c:3321 workerthread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 retfromfork+0x3fc/0x770 arch/x86/kernel/process.c:148 retfromforkasm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry64.S:245 </TASK> Allocated by task 12210: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:377 [inline] _kasankmalloc+0x93/0xb0 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] _kmalloccachenoprof+0x230/0x3d0 mm/slub.c:4364 kmallocnoprof include/linux/slab.h:905 [inline] kzallocnoprof include/linux/slab.h:1039 [inline] mgmtpendingnew+0x65/0x1e0 net/bluetooth/mgmtutil.c:269 mgmtpendingadd+0x35/0x140 net/bluetooth/mgmtutil.c:296 _addadvpatternsmonitor+0x130/0x200 net/bluetooth/mgmt.c:5247 addadvpatternsmonitor+0x214/0x360 net/bluetooth/mgmt.c:5364 hcimgmtcmd+0x9c9/0xef0 net/bluetooth/hcisock.c:1719 hcisocksendmsg+0x6ca/0xef0 net/bluetooth/hcisock.c:1839 socksendmsgnosec net/socket.c:714 [inline] _socksendmsg+0x219/0x270 net/socket.c:729 sockwriteiter+0x258/0x330 net/socket.c:1133 newsyncwrite fs/readwrite.c:593 [inline] vfswrite+0x5c9/0xb30 fs/readwrite.c:686 ksyswrite+0x145/0x250 fs/readwrite.c:738 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xfa/0x3b0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f Freed by task 12221: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:68 kasansavefreeinfo+0x46/0x50 mm/kasan/generic.c:576 poisonslabobject mm/kasan/common.c:247 [inline] _kasanslabfree+0x62/0x70 mm/kasan/common.c:264 kasanslabfree include/linux/kasan.h:233 [inline] slabfreehook mm/slub.c:2381 [inline] slabfree mm/slub.c:4648 [inline] kfree+0x18e/0x440 mm/slub.c:4847 mgmtpendingfree net/bluetooth/mgmtutil.c:311 [inline] mgmtpendingforeach+0x30d/0x380 net/bluetooth/mgmtutil.c:257 _mgmtpoweroff+0x169/0x350 net/bluetooth/mgmt.c:9444 hcidevclosesync+0x754/0x1330 net/bluetooth/hcisync.c:5290 hcidevdoclose net/bluetooth/hcicore.c:501 [inline] hcidevclose+0x108/0x200 net/bluetooth/hcicore.c:526 sockdoioctl+0xd9/0x300 net/socket.c:1192 sockioctl+0x576/0x790 net/socket.c:1313 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:907 [inline] _sesysioctl+0xf9/0x170 fs/ioctl.c:893 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall_64+0xf ---truncated---