A double free vulnerability was found in the hci_conn_cleanup function of net/bluetooth/hci_conn.c, which may cause DOS or privilege escalation. Version: Linux kernel 6.2 (this problem also exists in 6.3-rc1) At the end of the hci_conn_del_sysfs(conn) function in the hci_conn_cleanup function, hci_dev_put(hdev) will be called. The hci_dev_put function will eventually call kfree to release the space used by name: ``` hci_dev_put put_device kobject_put kref_put kobject_release kobject_cleanup kfree_const kfree ``` After the hci_conn_del_sysfs function ends, the hci_dev_put function is called again in the hci_conn_cleanup function, and their parameters hdev are the same, so double free will be caused when the name is released. In addition, at the end of hci_conn_cleanup, the hci_conn_put function is called again, which will call the put_device function to release conn->dev. Obviously conn->dev has been released, so there will also be a double free problem here. Call Trace from syzbot, https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419:
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2183548]
This was fixed for Fedora with the 6.2.12 stable kernel update.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394