From nobody Mon Jun 8 07:22:53 2026 Received: from mail-qv1-f67.google.com (mail-qv1-f67.google.com [209.85.219.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 962AB407565 for ; Wed, 3 Jun 2026 08:51:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.67 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780476681; cv=none; b=p6J7QDnZEBvoht6UD1UVZIyvKn+egOdc3WigQopT5q7AdQdUrWsOGC+9TSJ4Z6icWdngR5K0yQ4lP0HAn3YqMPbObUgl76j3h13VIDXe5L8SPCDe5t0fpO1WLSKNOwHf9yyAyvigOKljKAU8BAFHk+2sjAYGArgsm7T6XqD5bog= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780476681; c=relaxed/simple; bh=tvUGcoRZHaYmlzq6quGgVED96dALgjYGPnJygFYg/GI=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=OFbsltzNP2P6VRsiMNtw0ejZB50k8dHD21YQEK8qfv7cXP1CRDRwA0PCd1BZMUk5PAE8Z4EWC3kdgkf8IKY0NCXiBUTxi8fLOkn3M+GIwFwU0gKsO/WJcHEQzyWOz9BFlEHo8lHNQnsVXVPOhxMqqkIzteMmxVbHVDvzbgh52xM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=pH60SV4f; arc=none smtp.client-ip=209.85.219.67 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="pH60SV4f" Received: by mail-qv1-f67.google.com with SMTP id 6a1803df08f44-8ce9df31130so50773696d6.1 for ; Wed, 03 Jun 2026 01:51:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780476679; x=1781081479; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=kMPZTucAqhZy7zAYS7pA3OmvQDeUPQzXpf1wRurqMYI=; b=pH60SV4fU1e2yvuAdNDmRD/x1dKkAIMXAJoAIjqaTr32jjeZGCZHEsLukyLYQl4u2g 9/jrumKmW8BkXmf6wSHT0tXEv7zKDK5Dyrm9xDTwNypb80E+TsBbVObaJdYxHmoDGPoa DFqDaOKwbmQVY4Zdqq3Uquc0czcEq8veIStHd6QTiIFwWiCFDt/vXb92n/JXPh12le5Q Anvv6nmWbARllSEjVMGaHOqCTCl5xiblNspyKZekPT6QByoGjAPqyYKdbUWVTDo9qZEC YVpQ7fGWVllIEafZxRfNqvMqDHVGPdLVa25V33+SV8bFm9dLbCLxtJCIJMovs1++7hlQ 5GDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780476679; x=1781081479; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=kMPZTucAqhZy7zAYS7pA3OmvQDeUPQzXpf1wRurqMYI=; b=Pc/+HkhalnoIQrynSoplzfD/tyVRpQDawa4RmiOC5z0uDS9p07RJW6PqQ4wTGVe8Cz r0vGLqR7Mn4XtAuSBhyVH7fTod9kSdTs2yIkoXqWc/+CnFhF7xBRrrf+NrlLGwGEy0P9 ABreU8cVf5jF4Q+mSNpeMLvqeyCfyBj3+Vm6Q5/sV3XCXlsdkvjYDsGePlg6jNh9alyN CSaYyhyCowlbfs9WK2Gzk50VwRZcFnJD7tN+dCIiGyyGwjVJVi+pmknBestFBRkGILLF iSwhgYF3nFvtbzV4ou9uJDb6JzuPGgELj8NFkvr4J3gfydJ1QZLRkgz5/XYjI4AU2spG YT4w== X-Forwarded-Encrypted: i=1; AFNElJ/6anHZnbh/5fMgvgFz4B2wXMbRDYOfbHSN+jALxWyk7GglK1+2gIEfSpUSrU28rq0BC9Jrr5wgPnpz6Lw=@vger.kernel.org X-Gm-Message-State: AOJu0YxOY+JdcluqtJIaHmBWvHJce1FVQuKH7kZYpx5UuOri8nXBD/1j DWcG/izNVUqpTat5EnQaT5+HF4OMriCvH5yNkHNwqN+k1IK7pqUpwSEBBWzIqgJ+FQF6 X-Gm-Gg: Acq92OGnj40U/q+bOxsePSYIkqfCVkoFSvTk28C0iYWLD4BLXk4i2A+29NpPphc2bKg yQl/OuoDbmwCRzvKii6hFExz8td9MMnR7ppm8yE3l/2ZFwnav96uX1q6VMzpn1ZT4sVUFBHJe/m dhDjmwSstJ0NviGJDL2kD2eqq5sV6+ecvEbqi3FCx/6EpGLFWEDr/A/rkGYXABpcl9D4qFSOISs 2cG1RBk5AP7x+evcvwcRY0BNHiX2iUx0uWPx0ufWjcqsAyiVR75nv/65nor3pdJhExWKlVYol2I 0oN0XyIWL4lTaRjNYc0ZXwfIr/DxrR0FaXoTrRW2lvTjHBCUq8HoXfV+UCSGV5zqCx+qZwFHR98 s7w4iPdmxOUjcqCIcvSSv5A/OajRBTC0h77Q9e2im5PV9R5id4BdeXhjWUnBGxiem58HDq9FA7M Six182RooxcTO2Np6fwj7pXExlq/9uRCJlw4PH1wn97miKI+rl2KB1zIBj6l5T3RsyH1lgog6lB Q== X-Received: by 2002:a05:6214:2301:b0:8ca:1cee:7c58 with SMTP id 6a1803df08f44-8cecde9db82mr29905266d6.19.1780476679538; Wed, 03 Jun 2026 01:51:19 -0700 (PDT) Received: from rainbow (static-68-235-46-233.cust.tzulo.com. [68.235.46.233]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8ceccdcc968sm15148846d6.22.2026.06.03.01.51.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Jun 2026 01:51:19 -0700 (PDT) From: Jordan Walters To: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4] Bluetooth: hci_core: Fix UAF in hci_unregister_dev() Date: Wed, 3 Jun 2026 04:50:47 -0400 Message-ID: <20260603085047.256779-1-jaggyaur@gmail.com> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" hci_unregister_dev() does not disable cmd_timer and ncmd_timer before the hci_dev structure is freed. If a timeout fires during device teardown, the callback dereferences freed memory (including the hdev->reset function pointer), leading to a use-after-free. Add disable_delayed_work_sync() calls alongside the existing disable_work_sync() calls to ensure both timers are fully quiesced before teardown proceeds. Signed-off-by: Jordan Walters --- v4: v3 accidentally resent older fix using cancel_delayed_work_sync. This is the correct version using disable_delayed_work_sync. net/bluetooth/hci_core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 28d7929dc59..1cbc666527c 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -2671,6 +2671,8 @@ void hci_unregister_dev(struct hci_dev *hdev) disable_work_sync(&hdev->tx_work); disable_work_sync(&hdev->power_on); disable_work_sync(&hdev->error_reset); + disable_delayed_work_sync(&hdev->cmd_timer); + disable_delayed_work_sync(&hdev->ncmd_timer); =20 hci_cmd_sync_clear(hdev); =20 --=20 2.49.0