[SRU][F 0/2][N 0/1][PATCH] CVE-2024-53237

[Massimiliano Pellizzer]

[Impact]

Bluetooth: fix use-after-free in device_for_each_child()

In 'hci_conn_del_sysfs()', 'device_unregister()' may be called when
an underlying (kobject) reference counter is greater than 1. This
means that reparenting (happened when the device is actually freed)
is delayed and, during that delay, parent controller device (hciX)
may be deleted. Since the latter may create a dangling pointer to
freed parent, avoid that scenario by reparenting to NULL explicitly.

[Fix]

Oracular: Fixed via upstream stable updates (LP: #2091655)
Noble: Cherry picked from mainline
Jammy: Fixed via upstream stable updates (LP: #2095283)
Focal: Backported a dependency and cherry picked the fix commit from
mainline

[Test case]

Compile tested only.

[Where problems could occur]

The fix affects the bluetooth subsystem. An issue with this fix may lead
to incorrect handling of bluetooth devices. A user might experience
problems such as bluetooth devices failing to properly register and
unregister, resulting in device disconnects or inability to connect to
bluetooth peripherals. 

Andy Shevchenko (1):
  driver core: Introduce device_find_any_child() helper

Dmitry Antipov (1):
  Bluetooth: fix use-after-free in device_for_each_child()

 drivers/base/core.c       | 20 ++++++++++++++++++++
 include/linux/device.h    |  1 +
 net/bluetooth/hci_sysfs.c | 15 ++++-----------
 3 files changed, 25 insertions(+), 11 deletions(-)

-- 
2.43.0