In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix double free in hci_conn_cleanup

syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
After releasing an object using hci_conn_del_sysfs in the
hci_conn_cleanup function, releasing the same object again
using the hci_dev_put and hci_conn_put functions causes a double free.
Here's a simplified flow:

hci_conn_del_sysfs:
  hci_dev_put
    put_device
      kobject_put
        kref_put
          kobject_release
            kobject_cleanup
              kfree_const
                kfree(name)

hci_dev_put:
  ...
    kfree(name)

hci_conn_put:
  put_device
    ...
      kfree(name)

This patch drop the hci_dev_put and hci_conn_put function
call in hci_conn_cleanup function, because the object is
freed in hci_conn_del_sysfs function.

This patch also fixes the refcounting in hci_conn_add_sysfs() and
hci_conn_del_sysfs() to take into account device_add() failures.

This fixes CVE-2023-28464.

kernel.org https://git.kernel.org/stable/c/3c4236f1b2a715e878a06599fa8b0cc21f165d28 [No types assigned]

kernel.org https://git.kernel.org/stable/c/53d61daf35b1bbf3ae06e852ee107aa2f05b3776 [No types assigned]

kernel.org https://git.kernel.org/stable/c/56a4fdde95ed98d864611155f6728983e199e198 [No types assigned]

kernel.org https://git.kernel.org/stable/c/5c53afc766e07098429520b7677eaa164b593451 [No types assigned]

kernel.org https://git.kernel.org/stable/c/87624b1f9b781549e69f92db7ede012a21cec275 [No types assigned]

kernel.org https://git.kernel.org/stable/c/a85fb91e3d728bdfc80833167e8162cce8bc7004 [No types assigned]

kernel.org https://git.kernel.org/stable/c/ba7088769800d9892a7e4f35c3137a5b3e65410b [No types assigned]

kernel.org https://git.kernel.org/stable/c/fc666d1b47518a18519241cae213de1babd4a4ba [No types assigned]