Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF

[ Upstream commit 23d22f2f71768034d6ef86168213843fc49bf550 ] There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling "usb_driver_release_interface(&btusb_driver, data->intf)" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd. Reported-by: syzbot+2fc81b50a4f8263a159b@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=2fc81b50a4f8263a159b Tested-by: syzbot+2fc81b50a4f8263a159b@syzkaller.appspotmail.com Fixes: fd913ef7ce619 ("Bluetooth: btusb: Add out-of-band wakeup support") Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com> 2025-11-05 14:28:41 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-11-24 10:35:50 +0100
commit: 95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d (patch)
tree: bcb4254bb991d7f1fe00a1c9aa7242f91ac5bca5 /drivers/bluetooth
parent: 7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b (diff)
1 files changed, 6 insertions, 7 deletions
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index a734c5135a8b..aedb47861400 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -4179,6 +4179,11 @@ static void btusb_disconnect(struct usb_interface *intf)
 
 	hci_unregister_dev(hdev);
 
+	if (data->oob_wake_irq)
+		device_init_wakeup(&data->udev->dev, false);
+	if (data->reset_gpio)
+		gpiod_put(data->reset_gpio);
+
 	if (intf == data->intf) {
 		if (data->isoc)
 			usb_driver_release_interface(&btusb_driver, data->isoc);
@@ -4189,17 +4194,11 @@ static void btusb_disconnect(struct usb_interface *intf)
 			usb_driver_release_interface(&btusb_driver, data->diag);
 		usb_driver_release_interface(&btusb_driver, data->intf);
 	} else if (intf == data->diag) {
-		usb_driver_release_interface(&btusb_driver, data->intf);
 		if (data->isoc)
 			usb_driver_release_interface(&btusb_driver, data->isoc);
+		usb_driver_release_interface(&btusb_driver, data->intf);
 	}
 
-	if (data->oob_wake_irq)
-		device_init_wakeup(&data->udev->dev, false);
-
-	if (data->reset_gpio)
-		gpiod_put(data->reset_gpio);
-
 	hci_free_dev(hdev);
 }
author	Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>	2025-11-05 14:28:41 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-11-24 10:35:50 +0100
commit	95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d (patch)
tree	bcb4254bb991d7f1fe00a1c9aa7242f91ac5bca5 /drivers/bluetooth
parent	7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b (diff)