From nobody Mon Jun 8 05:28:41 2026 Received: from mail-ot1-f67.google.com (mail-ot1-f67.google.com [209.85.210.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 16D25221DB6 for ; Tue, 2 Jun 2026 21:05:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=209.85.210.67 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780434352; cv=pass; b=d56dK5+RfPow6gNUGWMmlPwy6YFA04bAV+MmpWQMjRP6BxC9yt1F/ChwMjLJbs9RSCo+4WQf9iMscT8AQnMTL36qXi41nSvxCHLaf+8T/dq+NExuJLrCj21qr+LAGJwi5v5uMUEhxvFBTUfNM+qAb3cPJ0qAi8882tfl+qSwsOE= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780434352; c=relaxed/simple; bh=IAWOulyn60q5CU5nFcEIg2txVq35DKFJNgeRnC6hixc=; h=MIME-Version:From:Date:Message-ID:Subject:To:Cc:Content-Type; b=d63VWNjC5rVcrY9oiNKm1gaVvBjADUuxqRol9aX4P7DEswFcp0+rRh6CFDZPE0Zq/sXOUp0ibsnl3BM2Z2oeHfHN2ly/tNABhx5JakqrS2uKi+cVjpuuxwT3QFugg3SfWoINNFqMcsBuDZcs12ALmdLZ4h1FA93A5zHK6OyQC00= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=qIhc1Nj2; arc=pass smtp.client-ip=209.85.210.67 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="qIhc1Nj2" Received: by mail-ot1-f67.google.com with SMTP id 46e09a7af769-7e690c213e3so3121930a34.3 for ; Tue, 02 Jun 2026 14:05:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780434350; cv=none; d=google.com; s=arc-20240605; b=PVmTLRdQriHaw47knR7K8X1bRRqt040zBvfw/80FROkGVI/ZMU+a3DdFEj8PFjcfVt lUUpw+fYnloYxo+TOOTUAuqxv7ea9Fs69onQwvyCmgpILm+WdsCFvAjzvvsiPIU4y67T rhgjOsNmnK/baGw4Id/0FjekQ6Cj+b+v6GC8S619cT5a+CGu/+f9TXJlVpt1CBEZeUsH TMMetaqHd9loNoQFUr3p1ZmB9KavCxi0addv0mqKZSBIi7fatEx14lSmEaQEkw4bXp3A 0yRIAZikcBqgKYyKExIzZY+/wClO8suxtMJ8qO465suGbtNMqdO8FcE4VWK9rwB+vl2U ySXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:mime-version:dkim-signature; bh=RkS7VxSSYQtTbcXAPMSGUiHQM/PKSapt1RSCo5tDvpc=; fh=JM+uVaupZ3pl/UnfBFc48bR1Pggzmqw44JdVS5wBnig=; b=ZMxWOP/RlPs3nxMCgz8IL/AvGTAfAtStSDa3tsQIlDueLuUM5Pu3liqjPF8+OHJtr+ 0tjnrtgAg5UFmHQzd8cWpPOI8MQYBGs4OqydNwY740eSIcqWETK4VM981g7CMKXW4X0x MjnPkHbgtNzFkFOc/wFw0kGfQo9CASDboeYoU9k6B4/XIHXbLNZM8e6AJT4lQ3zvKn5K AVVYCg8ZdQjanv+OjoLswBP6AkLPWJHYm2kdRYsH5zUQvx0+MLvP42+gjCSJV8eW9KVa IKKn1L2bdX8aLjoBfAJ4uz4vhZyYtjVsNVIktpVyCIgHThr2H7Km6gSb7flavbOFAYaK nZNg==; darn=vger.kernel.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780434350; x=1781039150; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=RkS7VxSSYQtTbcXAPMSGUiHQM/PKSapt1RSCo5tDvpc=; b=qIhc1Nj2rz3LNxDrL/l8YlKa9KGLP85yo1tqfnBxnBF4oOGl6bXHa2A5TasoKKgZye AuuntS7CplBFr/YtxiervYhRkn1Rjj1Y4aUwqZgxwKoicc6vAlxZNYAyAboR482eXtwz D+IefB9x2Pjx2jbph2cbxLFqhFEjnY6Vv9jFhwrekBAHY+iMmB083Nw1czF4gWLHRZiU rK7e7LQT689ukX1PUMPXKr+tNZDs/5EH2ts+cBJewnW4RSCnSV3pPcoDYytoNewnkw/a /4f0UuwDXpOdE3n71YddArwEpiXGKESCv17gm5pArh3ENF1t0bMZoOCs/b215hncPYAz eMzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780434350; x=1781039150; h=cc:to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=RkS7VxSSYQtTbcXAPMSGUiHQM/PKSapt1RSCo5tDvpc=; b=ZcCR5aZUciBHTCLyYDCM5aTlEj5YJslEKDFuRMPx+d2GwgjusHDnZWe2Vj/ox45bf6 mbMIOlpp6JRCzOIzl0/wS1atHYV/ULCoaQWWdMPwSmNYopOl40p2nxqPMPICEU8Vflt7 0MjiCx3OKy2j83ttQS1gKEwyu4zkrHNx0qkTsGhpRPcBNq/FxGSkIOygrohZq+l7jC5+ b+LDzx/wydkWL92rChrbBW3RDNMyvZ+CSsQBCm3chpgoEGdjtZ4mhsF8I0s7MDpPN/QG glySW96wlynECRx2qo1cC0DLBQf9QhVZDqHs+qYEI9PPFh6GMTHwQQA4YeasiUM/AqHs rMxw== X-Forwarded-Encrypted: i=1; AFNElJ9gT7veQPxpPBpevkvyOv/hUH7FSYuFswRBFRL+yXJeR+X+cdS6dOJFAQyvPmPrEwKbSJCSXmgdPsDCEc8=@vger.kernel.org X-Gm-Message-State: AOJu0Yx9JiNBN4v4Qb8/2Z9WZZown+GUH6aCgSIsYC6Vgmc37eyJG+Hn VkfMdD8bFKx7cV477AA81Yb7WXjeLdk1gti/+fXbyuqw6nGOviMEIlXqhGEkZcMzv0IUXenYAX8 IUpR1NHT3RQ5igY19k2rf8i3fgvi9yCq5nFmMKhHD X-Gm-Gg: Acq92OHpARImUE8OGxFR6UzA3eGra2RlSWEKbIByNbt3SNJjsytvBfU/62GOu8DfSC8 M8o/bB4ozHctlj+HGNEELUf+wuJCHNiu6MnLxLTKUkAzBPrz2bJIWFrUh2E9SEOqPJtj6wjTB/j 38/4TuTtZ4SoYx4BW4M8rQ0lh1pRcGc2XjtT29CTHjlnvnw7r/r7SjKskRvrakzhUbaZhyvyJHq HwTTSh+8pZ14KOM/oYwdi75uDeaqgdK1MV7da2aAQCJRO3kmL1+ckG2S+dXUYn+N9V0yMDxmEda SdeYqGZfab7XFtAJWg== X-Received: by 2002:a05:6830:f8e:b0:7dc:a256:5e2e with SMTP id 46e09a7af769-7e6e94af477mr228793a34.1.1780434350148; Tue, 02 Jun 2026 14:05:50 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Jordan Walters Date: Tue, 2 Jun 2026 17:05:39 -0400 X-Gm-Features: AVHnY4K7oA6BEZ_Ym4O5hEIJ1zsRXxq6kglDR-P_Jflai-pJpgb-pszJL1R19R0 Message-ID: Subject: [PATCH] Bluetooth: Fix Use-After-Free in hci_unregister_dev To: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Luiz Augusto von Dentz , "marcel@holtmann.org" Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The hci_unregister_dev() function fails to disable the cmd_timer and ncmd_t= imer before freeing the hci_dev structure. If an asynchronous event or timeout o= ccurs during device teardown, the timer callbacks may execute after the device has been freed, leading to a KASAN slab-use-after-free panic. This patch adds the necessary disable_delayed_work_sync() calls to securely flush the timers before the teardown sequence proceeds. Signed-off-by: Jordan Walters --- diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index a1b2c3d4e..f5g6h7i8j 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -2671,6 +2671,8 @@ void hci_unregister_dev(struct hci_dev *hdev) hci_dev_do_close(hdev); hci_cancel_cmd_sync(hdev, -ENODEV); + disable_delayed_work_sync(&hdev->cmd_timer); + disable_delayed_work_sync(&hdev->ncmd_timer); /* Sync with hci_rx_work */ cancel_work_sync(&hdev->rx_work);