1. Patchew
  2. linux
  3. View series

[PATCH] Bluetooth: Fix Use-After-Free in hci_unregister_dev

Jordan Walters posted 1 patch 5 days, 7 hours ago
There is a newer version of this series
[PATCH] Bluetooth: Fix Use-After-Free in hci_unregister_dev
Posted by Jordan Walters 5 days, 7 hours ago 
The hci_unregister_dev() function fails to disable the cmd_timer and ncmd_timer
before freeing the hci_dev structure. If an asynchronous event or timeout occurs
during device teardown, the timer callbacks may execute after the device has
been freed, leading to a KASAN slab-use-after-free panic.

This patch adds the necessary disable_delayed_work_sync() calls to
securely flush
the timers before the teardown sequence proceeds.

Signed-off-by: Jordan Walters <gloambit@gloam.sh>
---
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index a1b2c3d4e..f5g6h7i8j 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2671,6 +2671,8 @@ void hci_unregister_dev(struct hci_dev *hdev)
     hci_dev_do_close(hdev);

     hci_cancel_cmd_sync(hdev, -ENODEV);
+    disable_delayed_work_sync(&hdev->cmd_timer);
+    disable_delayed_work_sync(&hdev->ncmd_timer);

     /* Sync with hci_rx_work */
     cancel_work_sync(&hdev->rx_work);

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.