ACK: [SRU][F 0/2][N 0/1][PATCH] CVE-2024-53237
Koichiro Den
koichiro.den at canonical.com
Tue Feb 11 11:49:17 UTC 2025
On Mon, Feb 10, 2025 at 04:44:10PM GMT, Massimiliano Pellizzer wrote:
> [Impact]
>
> Bluetooth: fix use-after-free in device_for_each_child()
>
> In 'hci_conn_del_sysfs()', 'device_unregister()' may be called when
> an underlying (kobject) reference counter is greater than 1. This
> means that reparenting (happened when the device is actually freed)
> is delayed and, during that delay, parent controller device (hciX)
> may be deleted. Since the latter may create a dangling pointer to
> freed parent, avoid that scenario by reparenting to NULL explicitly.
>
> [Fix]
>
> Oracular: Fixed via upstream stable updates (LP: #2091655)
> Noble: Cherry picked from mainline
> Jammy: Fixed via upstream stable updates (LP: #2095283)
> Focal: Backported a dependency and cherry picked the fix commit from
> mainline
>
> [Test case]
>
> Compile tested only.
>
> [Where problems could occur]
>
> The fix affects the bluetooth subsystem. An issue with this fix may lead
> to incorrect handling of bluetooth devices. A user might experience
> problems such as bluetooth devices failing to properly register and
> unregister, resulting in device disconnects or inability to connect to
> bluetooth peripherals.
>
> Andy Shevchenko (1):
> driver core: Introduce device_find_any_child() helper
>
> Dmitry Antipov (1):
> Bluetooth: fix use-after-free in device_for_each_child()
>
> drivers/base/core.c | 20 ++++++++++++++++++++
> include/linux/device.h | 1 +
> net/bluetooth/hci_sysfs.c | 15 ++++-----------
> 3 files changed, 25 insertions(+), 11 deletions(-)
>
Acked-by: Koichiro Den <koichiro.den at canonical.com>
More information about the kernel-team
mailing list