[v1] Bluetooth: Fix Use-After-Free in hci_unregister_dev

[PATCH] Bluetooth: Fix Use-After-Free in hci_unregister_dev

Jordan Walters posted 1 patch 5 days, 5 hours ago

Diff against v1 v1 v2 v3
Download mbox

There is a newer version of this series

net/bluetooth/hci_core.c | 2 ++
1 file changed, 2 insertions(+)

Expand all Fold all

[PATCH] Bluetooth: Fix Use-After-Free in hci_unregister_dev

Posted by Jordan Walters 5 days, 5 hours ago

The hci_unregister_dev() function fails to disable the cmd_timer and ncmd_timer
before freeing the hci_dev structure. If an asynchronous event or timeout occurs
during device teardown, the timer callbacks may execute after the device has
been freed, leading to a KASAN slab-use-after-free panic.

This patch adds the necessary disable_delayed_work_sync() calls to securely flush
the timers before the teardown sequence proceeds.

Signed-off-by: Jordan Walters <gloambit@gloam.sh>
---
 net/bluetooth/hci_core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 28d7929dc59..1cbc666527c 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2671,6 +2671,8 @@ void hci_unregister_dev(struct hci_dev *hdev)
 	disable_work_sync(&hdev->tx_work);
 	disable_work_sync(&hdev->power_on);
 	disable_work_sync(&hdev->error_reset);
+	disable_delayed_work_sync(&hdev->cmd_timer);
+	disable_delayed_work_sync(&hdev->ncmd_timer);
 
 	hci_cmd_sync_clear(hdev);