Skip to content

[cbr79] Many VULNs 2025-01-02#797

Merged
bmastbergen merged 7 commits into
ciqcbr7_9from
{bmastbergen}_ciqcbr7_9/many-vulns-2025-01-02
Jan 5, 2026
Merged

[cbr79] Many VULNs 2025-01-02#797
bmastbergen merged 7 commits into
ciqcbr7_9from
{bmastbergen}_ciqcbr7_9/many-vulns-2025-01-02

Conversation

@bmastbergen

Copy link
Copy Markdown
Collaborator

Background

We've backported the three bluetooth commits below to all of our other LTS branches:

a2a9339 Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
02c5ea5 Bluetooth: Fix l2cap_disconnect_req deadlock
25e97f7 Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp

This branch required two additional prereqs:

28261da Bluetooth: Check state in l2cap_disconnect_rsp
6c08fc8 Bluetooth: Fix refcount use-after-free issue

The fs patch below had a couple of minor conflicts when applying, but the patch content remains the same:

2e488f1 fs: fix UAF/GPF bug in nilfs_mdt_destroy

Commits

    Bluetooth: Check state in l2cap_disconnect_rsp

    jira VULN-154996
    cve-pre CVE-2024-53297
    commit-author Matias Karhumaa <matias.karhumaa@gmail.com>
    commit 28261da8a26f4915aa257d12d506c6ba179d961f
    Bluetooth: Fix refcount use-after-free issue

    jira VULN-154996
    cve-pre CVE-2024-53297
    commit-author Manish Mandlik <mmandlik@google.com>
    commit 6c08fc896b60893c5d673764b0668015d76df462
    Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}

    jira VULN-154996
    cve-pre CVE-2023-53297
    commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    commit a2a9339e1c9deb7e1e079e12e27a0265aea8421a
    Bluetooth: Fix l2cap_disconnect_req deadlock

    jira VULN-154996
    cve-pre CVE-2023-53297
    commit-author Ying Hsu <yinghsu@chromium.org>
    commit 02c5ea5246a44d6ffde0fddebfc1d56188052976
    Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp

    jira VULN-154996
    cve CVE-2023-53297
    commit-author Min Li <lm0963hack@gmail.com>
    commit 25e97f7b1866e6b8503be349eeea44bb52d661ce
    fs: fix UAF/GPF bug in nilfs_mdt_destroy

    jira VULN-155282
    cve CVE-2022-50367
    commit-author Dongliang Mu <mudongliangabcd@gmail.com>
    commit 2e488f13755ffbb60f307e991b27024716a33b29
    upstream-diff Minor conflicts due to missing:
                  4a075e39c864 ("locks: add a new struct file_locking_context
                  pointer to struct inode")
                  3d65ae4634ed ("writeback: initialize inode members that
                  track writeback history")

Build Log

/home/brett/kernel-src-tree
Running make mrproper...
[TIMER]{MRPROPER}: 8s
x86_64 architecture detected, copying config
‘configs/kernel-3.10.0-x86_64.config’ -> ‘.config’
Setting Local Version for build
CONFIG_LOCALVERSION="-bmastbergen_ciqcbr7_9_many-vulns-2025-01-02-0807c2b"
Making olddefconfig
--
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf --olddefconfig Kconfig
#
# configuration written to .config
#
Starting Build
scripts/kconfig/conf --silentoldconfig Kconfig
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/syscalls/../include/generated/asm/syscalls_32.h
--
  IHEX2FW firmware/whiteheat_loader.fw
  H16TOFW firmware/edgeport/down2.fw
  IHEX2FW firmware/whiteheat.fw
  IHEX2FW firmware/keyspan_pda/xircom_pgs.fw
  IHEX2FW firmware/keyspan_pda/keyspan_pda.fw
[TIMER]{BUILD}: 502s
Making Modules
  INSTALL arch/x86/crypto/ablk_helper.ko
  INSTALL arch/x86/crypto/aesni-intel.ko
  INSTALL arch/x86/crypto/blowfish-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx-x86_64.ko
--
  INSTALL /lib/firmware/whiteheat_loader.fw
  INSTALL /lib/firmware/whiteheat.fw
  INSTALL /lib/firmware/keyspan_pda/keyspan_pda.fw
  INSTALL /lib/firmware/keyspan_pda/xircom_pgs.fw
  DEPMOD  3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-01-02-0807c2b+
[TIMER]{MODULES}: 14s
Making Install
sh ./arch/x86/boot/install.sh 3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-01-02-0807c2b+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 44s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-01-02-0807c2b+ and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 8s
[TIMER]{BUILD}: 502s
[TIMER]{MODULES}: 14s
[TIMER]{INSTALL}: 44s
[TIMER]{TOTAL} 575s
Rebooting in 10 seconds

Testing

selftest-3.10.0-1160.119.1.el7_9.ciqcbr.11.1.x86_64-1.log

selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-01-02-0807c2b+-1.log

brett@chewbacca ~/ciq/many-79-vulns-2025-01-02/kselftest-logs
 % grep ^ok selftest-3.10.0-1160.119.1.el7_9.ciqcbr.11.1.x86_64-1.log | wc -l
4
brett@chewbacca ~/ciq/many-79-vulns-2025-01-02/kselftest-logs
 % grep ^ok selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-01-02-0807c2b+-1.log | wc -l
4
brett@chewbacca ~/ciq/many-79-vulns-2025-01-02/kselftest-logs
 % grep ok <(diff -adU0 <(grep ^ok selftest-3.10.0-1160.119.1.el7_9.ciqcbr.11.1.x86_64-1.log | sort -h) <(grep ^ok selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-01-02-0807c2b+-1.log | sort -h))
brett@chewbacca ~/ciq/many-79-vulns-2025-01-02/kselftest-logs
 %

@github-actions

github-actions Bot commented Jan 2, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/20663314667

@github-actions

github-actions Bot commented Jan 2, 2026

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit 742feefa4ba4 (Bluetooth: Fix refcount use-after-free issue) references upstream commit
    6c08fc896b60 which has been referenced by a Fixes: tag in the upstream
    Linux kernel:
    2a154903cec2 Bluetooth: prefetch channel before killing sock (Hillf Danton)
  • ⚠️ PR commit c86d8c8cdc0f (Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}) does not reference a CVE but
    upstream commit a2a9339e1c9d is associated with CVE-2023-53827

This is an automated message from the kernel commit checker workflow.

@github-actions

github-actions Bot commented Jan 2, 2026

Copy link
Copy Markdown

JIRA PR Check Results

6 commit(s) with issues found:

Commit 0807c2bd64c4

Summary: fs: fix UAF/GPF bug in nilfs_mdt_destroy

⚠️ Warnings:

  • VULN-155282: No time logged - please log time manually

Commit 1078a4351eb0

Summary: Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp

⚠️ Warnings:

  • VULN-154996: No time logged - please log time manually

Commit 25874f60d63a

Summary: Bluetooth: Fix l2cap_disconnect_req deadlock

⚠️ Warnings:

  • VULN-154996: No time logged - please log time manually

Commit c86d8c8cdc0f

Summary: Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}

⚠️ Warnings:

  • VULN-154996: No time logged - please log time manually

Commit 742feefa4ba4

Summary: Bluetooth: Fix refcount use-after-free issue

❌ Errors:

  • VULN-154996: CVE mismatch - Commit has CVE-2024-53297 but VULN ticket does not

⚠️ Warnings:

  • VULN-154996: VULN ticket has CVE-2023-53297 but commit does not
  • VULN-154996: No time logged - please log time manually

Commit 16a163c40264

Summary: Bluetooth: Check state in l2cap_disconnect_rsp

❌ Errors:

  • VULN-154996: CVE mismatch - Commit has CVE-2024-53297 but VULN ticket does not

⚠️ Warnings:

  • VULN-154996: VULN ticket has CVE-2023-53297 but commit does not
  • VULN-154996: No time logged - please log time manually

Summary: Checked 6 commit(s) total.

@github-actions

github-actions Bot commented Jan 2, 2026

Copy link
Copy Markdown

Validation checks completed with issues View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/20663314667

@bmastbergen bmastbergen force-pushed the {bmastbergen}_ciqcbr7_9/many-vulns-2025-01-02 branch from 0807c2b to 6dcbd78 Compare January 2, 2026 19:46
@github-actions

github-actions Bot commented Jan 2, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/20665615394

@github-actions

github-actions Bot commented Jan 2, 2026

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit 7d0885acc04c (Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}) does not reference a CVE but
    upstream commit a2a9339e1c9d is associated with CVE-2023-53827

This is an automated message from the kernel commit checker workflow.

@github-actions

github-actions Bot commented Jan 2, 2026

Copy link
Copy Markdown

JIRA PR Check Results

3 commit(s) with issues found:

Commit 46ef3a72923e

Summary: Bluetooth: prefetch channel before killing sock

❌ Errors:

  • VULN-154996: CVE mismatch - Commit has CVE-2024-53297 but VULN ticket does not

⚠️ Warnings:

Commit 742feefa4ba4

Summary: Bluetooth: Fix refcount use-after-free issue

❌ Errors:

  • VULN-154996: CVE mismatch - Commit has CVE-2024-53297 but VULN ticket does not

⚠️ Warnings:

Commit 16a163c40264

Summary: Bluetooth: Check state in l2cap_disconnect_rsp

❌ Errors:

  • VULN-154996: CVE mismatch - Commit has CVE-2024-53297 but VULN ticket does not

⚠️ Warnings:


Summary: Checked 7 commit(s) total.

@github-actions

github-actions Bot commented Jan 2, 2026

Copy link
Copy Markdown

Validation checks completed with issues View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/20665615394

jira VULN-154996
cve-pre CVE-2023-53297
commit-author Matias Karhumaa <matias.karhumaa@gmail.com>
commit 28261da

Because of both sides doing L2CAP disconnection at the same time, it
was possible to receive L2CAP Disconnection Response with CID that was
already freed. That caused problems if CID was already reused and L2CAP
Connection Request with same CID was sent out. Before this patch kernel
deleted channel context regardless of the state of the channel.

Example where leftover Disconnection Response (frame #402) causes local
device to delete L2CAP channel which was not yet connected. This in
turn confuses remote device's stack because same CID is re-used without
properly disconnecting.

Btmon capture before patch:
** snip **
> ACL Data RX: Handle 43 flags 0x02 dlen 8                #394 [hci1] 10.748949
      Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
      RFCOMM: Disconnect (DISC) (0x43)
         Address: 0x03 cr 1 dlci 0x00
         Control: 0x53 poll/final 1
         Length: 0
         FCS: 0xfd
< ACL Data TX: Handle 43 flags 0x00 dlen 8                #395 [hci1] 10.749062
      Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
      RFCOMM: Unnumbered Ack (UA) (0x63)
         Address: 0x03 cr 1 dlci 0x00
         Control: 0x73 poll/final 1
         Length: 0
         FCS: 0xd7
< ACL Data TX: Handle 43 flags 0x00 dlen 12               #396 [hci1] 10.749073
      L2CAP: Disconnection Request (0x06) ident 17 len 4
        Destination CID: 65
        Source CID: 65
> HCI Event: Number of Completed Packets (0x13) plen 5    #397 [hci1] 10.752391
        Num handles: 1
        Handle: 43
        Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5    #398 [hci1] 10.753394
        Num handles: 1
        Handle: 43
        Count: 1
> ACL Data RX: Handle 43 flags 0x02 dlen 12               #399 [hci1] 10.756499
      L2CAP: Disconnection Request (0x06) ident 26 len 4
        Destination CID: 65
        Source CID: 65
< ACL Data TX: Handle 43 flags 0x00 dlen 12               #400 [hci1] 10.756548
      L2CAP: Disconnection Response (0x07) ident 26 len 4
        Destination CID: 65
        Source CID: 65
< ACL Data TX: Handle 43 flags 0x00 dlen 12               #401 [hci1] 10.757459
      L2CAP: Connection Request (0x02) ident 18 len 4
        PSM: 1 (0x0001)
        Source CID: 65
> ACL Data RX: Handle 43 flags 0x02 dlen 12               #402 [hci1] 10.759148
      L2CAP: Disconnection Response (0x07) ident 17 len 4
        Destination CID: 65
        Source CID: 65
= bluetoothd: 00:1E:AB:4C:56:54: error updating services: Input/o..   10.759447
> HCI Event: Number of Completed Packets (0x13) plen 5    #403 [hci1] 10.759386
        Num handles: 1
        Handle: 43
        Count: 1
> ACL Data RX: Handle 43 flags 0x02 dlen 12               #404 [hci1] 10.760397
      L2CAP: Connection Request (0x02) ident 27 len 4
        PSM: 3 (0x0003)
        Source CID: 65
< ACL Data TX: Handle 43 flags 0x00 dlen 16               #405 [hci1] 10.760441
      L2CAP: Connection Response (0x03) ident 27 len 8
        Destination CID: 65
        Source CID: 65
        Result: Connection successful (0x0000)
        Status: No further information available (0x0000)
< ACL Data TX: Handle 43 flags 0x00 dlen 27               #406 [hci1] 10.760449
      L2CAP: Configure Request (0x04) ident 19 len 19
        Destination CID: 65
        Flags: 0x0000
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 1013
        Option: Retransmission and Flow Control (0x04) [mandatory]
          Mode: Basic (0x00)
          TX window size: 0
          Max transmit: 0
          Retransmission timeout: 0
          Monitor timeout: 0
          Maximum PDU size: 0
> HCI Event: Number of Completed Packets (0x13) plen 5    #407 [hci1] 10.761399
        Num handles: 1
        Handle: 43
        Count: 1
> ACL Data RX: Handle 43 flags 0x02 dlen 16               #408 [hci1] 10.762942
      L2CAP: Connection Response (0x03) ident 18 len 8
        Destination CID: 66
        Source CID: 65
        Result: Connection successful (0x0000)
        Status: No further information available (0x0000)
*snip*

Similar case after the patch:
*snip*
> ACL Data RX: Handle 43 flags 0x02 dlen 8            #22702 [hci0] 1664.411056
      Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
      RFCOMM: Disconnect (DISC) (0x43)
         Address: 0x03 cr 1 dlci 0x00
         Control: 0x53 poll/final 1
         Length: 0
         FCS: 0xfd
< ACL Data TX: Handle 43 flags 0x00 dlen 8            #22703 [hci0] 1664.411136
      Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
      RFCOMM: Unnumbered Ack (UA) (0x63)
         Address: 0x03 cr 1 dlci 0x00
         Control: 0x73 poll/final 1
         Length: 0
         FCS: 0xd7
< ACL Data TX: Handle 43 flags 0x00 dlen 12           #22704 [hci0] 1664.411143
      L2CAP: Disconnection Request (0x06) ident 11 len 4
        Destination CID: 65
        Source CID: 65
> HCI Event: Number of Completed Pac.. (0x13) plen 5  #22705 [hci0] 1664.414009
        Num handles: 1
        Handle: 43
        Count: 1
> HCI Event: Number of Completed Pac.. (0x13) plen 5  #22706 [hci0] 1664.415007
        Num handles: 1
        Handle: 43
        Count: 1
> ACL Data RX: Handle 43 flags 0x02 dlen 12           #22707 [hci0] 1664.418674
      L2CAP: Disconnection Request (0x06) ident 17 len 4
        Destination CID: 65
        Source CID: 65
< ACL Data TX: Handle 43 flags 0x00 dlen 12           #22708 [hci0] 1664.418762
      L2CAP: Disconnection Response (0x07) ident 17 len 4
        Destination CID: 65
        Source CID: 65
< ACL Data TX: Handle 43 flags 0x00 dlen 12           #22709 [hci0] 1664.421073
      L2CAP: Connection Request (0x02) ident 12 len 4
        PSM: 1 (0x0001)
        Source CID: 65
> ACL Data RX: Handle 43 flags 0x02 dlen 12           #22710 [hci0] 1664.421371
      L2CAP: Disconnection Response (0x07) ident 11 len 4
        Destination CID: 65
        Source CID: 65
> HCI Event: Number of Completed Pac.. (0x13) plen 5  #22711 [hci0] 1664.424082
        Num handles: 1
        Handle: 43
        Count: 1
> HCI Event: Number of Completed Pac.. (0x13) plen 5  #22712 [hci0] 1664.425040
        Num handles: 1
        Handle: 43
        Count: 1
> ACL Data RX: Handle 43 flags 0x02 dlen 12           #22713 [hci0] 1664.426103
      L2CAP: Connection Request (0x02) ident 18 len 4
        PSM: 3 (0x0003)
        Source CID: 65
< ACL Data TX: Handle 43 flags 0x00 dlen 16           #22714 [hci0] 1664.426186
      L2CAP: Connection Response (0x03) ident 18 len 8
        Destination CID: 66
        Source CID: 65
        Result: Connection successful (0x0000)
        Status: No further information available (0x0000)
< ACL Data TX: Handle 43 flags 0x00 dlen 27           #22715 [hci0] 1664.426196
      L2CAP: Configure Request (0x04) ident 13 len 19
        Destination CID: 65
        Flags: 0x0000
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 1013
        Option: Retransmission and Flow Control (0x04) [mandatory]
          Mode: Basic (0x00)
          TX window size: 0
          Max transmit: 0
          Retransmission timeout: 0
          Monitor timeout: 0
          Maximum PDU size: 0
> ACL Data RX: Handle 43 flags 0x02 dlen 16           #22716 [hci0] 1664.428804
      L2CAP: Connection Response (0x03) ident 12 len 8
        Destination CID: 66
        Source CID: 65
        Result: Connection successful (0x0000)
        Status: No further information available (0x0000)
*snip*

Fix is to check that channel is in state BT_DISCONN before deleting the
channel.

This bug was found while fuzzing Bluez's OBEX implementation using
Synopsys Defensics.

	Reported-by: Matti Kamunen <matti.kamunen@synopsys.com>
	Reported-by: Ari Timonen <ari.timonen@synopsys.com>
	Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
	Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
(cherry picked from commit 28261da)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
jira VULN-154996
cve-pre CVE-2023-53297
commit-author Manish Mandlik <mmandlik@google.com>
commit 6c08fc8

There is no lock preventing both l2cap_sock_release() and
chan->ops->close() from running at the same time.

If we consider Thread A running l2cap_chan_timeout() and Thread B running
l2cap_sock_release(), expected behavior is:
  A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb()
  A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill()
  B::l2cap_sock_release()->sock_orphan()
  B::l2cap_sock_release()->l2cap_sock_kill()

where,
sock_orphan() clears "sk->sk_socket" and l2cap_sock_teardown_cb() marks
socket as SOCK_ZAPPED.

In l2cap_sock_kill(), there is an "if-statement" that checks if both
sock_orphan() and sock_teardown() has been run i.e. sk->sk_socket is NULL
and socket is marked as SOCK_ZAPPED. Socket is killed if the condition is
satisfied.

In the race condition, following occurs:
  A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb()
  B::l2cap_sock_release()->sock_orphan()
  B::l2cap_sock_release()->l2cap_sock_kill()
  A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill()

In this scenario, "if-statement" is true in both B::l2cap_sock_kill() and
A::l2cap_sock_kill() and we hit "refcount: underflow; use-after-free" bug.

Similar condition occurs at other places where teardown/sock_kill is
happening:
  l2cap_disconnect_rsp()->l2cap_chan_del()->l2cap_sock_teardown_cb()
  l2cap_disconnect_rsp()->l2cap_sock_close_cb()->l2cap_sock_kill()

  l2cap_conn_del()->l2cap_chan_del()->l2cap_sock_teardown_cb()
  l2cap_conn_del()->l2cap_sock_close_cb()->l2cap_sock_kill()

  l2cap_disconnect_req()->l2cap_chan_del()->l2cap_sock_teardown_cb()
  l2cap_disconnect_req()->l2cap_sock_close_cb()->l2cap_sock_kill()

  l2cap_sock_cleanup_listen()->l2cap_chan_close()->l2cap_sock_teardown_cb()
  l2cap_sock_cleanup_listen()->l2cap_sock_kill()

Protect teardown/sock_kill and orphan/sock_kill by adding hold_lock on
l2cap channel to ensure that the socket is killed only after marked as
zapped and orphan.

	Signed-off-by: Manish Mandlik <mmandlik@google.com>
	Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
(cherry picked from commit 6c08fc8)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
jira VULN-154996
cve-pre CVE-2023-53297
commit-author Hillf Danton <hdanton@sina.com>
commit 2a15490

Prefetch channel before killing sock in order to fix UAF like

 BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 net/bluetooth/l2cap_sock.c:1212
 Read of size 8 at addr ffff8880944904a0 by task syz-fuzzer/9751

	Reported-by: syzbot+c3c5bdea7863886115dc@syzkaller.appspotmail.com
Fixes: 6c08fc8 ("Bluetooth: Fix refcount use-after-free issue")
	Cc: Manish Mandlik <mmandlik@google.com>
	Signed-off-by: Hillf Danton <hdanton@sina.com>
	Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
(cherry picked from commit 2a15490)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@bmastbergen bmastbergen force-pushed the {bmastbergen}_ciqcbr7_9/many-vulns-2025-01-02 branch from 6dcbd78 to c2d3d23 Compare January 2, 2026 20:33
@github-actions

github-actions Bot commented Jan 2, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/20666371071

@github-actions

github-actions Bot commented Jan 2, 2026

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit 42426f30da7d (Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}) does not reference a CVE but
    upstream commit a2a9339e1c9d is associated with CVE-2023-53827

This is an automated message from the kernel commit checker workflow.

@github-actions

github-actions Bot commented Jan 2, 2026

Copy link
Copy Markdown

JIRA PR Check Results

1 commit(s) with issues found:

Commit 42426f30da7d

Summary: Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}

⚠️ Warnings:

  • VULN-168829: VULN ticket has CVEs CVE-2023-53827 but commit has no CVEs

Summary: Checked 7 commit(s) total.

@github-actions

github-actions Bot commented Jan 2, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/20666371071

jira VULN-168829
cve CVE-2023-53827
commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit a2a9339

Similar to commit d0be834 ("Bluetooth: L2CAP: Fix use-after-free
caused by l2cap_chan_put"), just use l2cap_chan_hold_unless_zero to
prevent referencing a channel that is about to be destroyed.

	Cc: stable@kernel.org
	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	Signed-off-by: Min Li <lm0963hack@gmail.com>
(cherry picked from commit a2a9339)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
jira VULN-154996
cve-pre CVE-2023-53297
commit-author Ying Hsu <yinghsu@chromium.org>
commit 02c5ea5

L2CAP assumes that the locks conn->chan_lock and chan->lock are
acquired in the order conn->chan_lock, chan->lock to avoid
potential deadlock.
For example, l2sock_shutdown acquires these locks in the order:
  mutex_lock(&conn->chan_lock)
  l2cap_chan_lock(chan)

However, l2cap_disconnect_req acquires chan->lock in
l2cap_get_chan_by_scid first and then acquires conn->chan_lock
before calling l2cap_chan_del. This means that these locks are
acquired in unexpected order, which leads to potential deadlock:
  l2cap_chan_lock(c)
  mutex_lock(&conn->chan_lock)

This patch releases chan->lock before acquiring the conn_chan_lock
to avoid the potential deadlock.

Fixes: a2a9339 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}")
	Signed-off-by: Ying Hsu <yinghsu@chromium.org>
	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
(cherry picked from commit 02c5ea5)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
jira VULN-154996
cve CVE-2023-53297
commit-author Min Li <lm0963hack@gmail.com>
commit 25e97f7

conn->chan_lock isn't acquired before l2cap_get_chan_by_scid,
if l2cap_get_chan_by_scid returns NULL, then 'bad unlock balance'
is triggered.

	Reported-by: syzbot+9519d6b5b79cf7787cf3@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/000000000000894f5f05f95e9f4d@google.com/
	Signed-off-by: Min Li <lm0963hack@gmail.com>
	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
(cherry picked from commit 25e97f7)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
jira VULN-155282
cve CVE-2022-50367
commit-author Dongliang Mu <mudongliangabcd@gmail.com>
commit 2e488f1
upstream-diff Minor conflicts due to missing:
              4a075e3 ("locks: add a new struct file_locking_context
              pointer to struct inode")
              3d65ae4 ("writeback: initialize inode members that
              track writeback history")

In alloc_inode, inode_init_always() could return -ENOMEM if
security_inode_alloc() fails, which causes inode->i_private
uninitialized. Then nilfs_is_metadata_file_inode() returns
true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(),
which frees the uninitialized inode->i_private
and leads to crashes(e.g., UAF/GPF).

Fix this by moving security_inode_alloc just prior to
this_cpu_inc(nr_inodes)

Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com
	Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
	Reported-by: Hao Sun <sunhao.th@gmail.com>
	Reported-by: Jiacheng Xu <stitch@zju.edu.cn>
	Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
	Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
	Cc: Al Viro <viro@zeniv.linux.org.uk>
	Cc: stable@vger.kernel.org
	Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 2e488f1)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@bmastbergen bmastbergen force-pushed the {bmastbergen}_ciqcbr7_9/many-vulns-2025-01-02 branch from c2d3d23 to 1a219f0 Compare January 2, 2026 20:52
@github-actions

github-actions Bot commented Jan 2, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/20666688255

@github-actions

github-actions Bot commented Jan 2, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/20666688255

@bmastbergen bmastbergen merged commit ff873a1 into ciqcbr7_9 Jan 5, 2026
2 checks passed
@bmastbergen bmastbergen deleted the {bmastbergen}_ciqcbr7_9/many-vulns-2025-01-02 branch January 5, 2026 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants