From nobody Mon Jun 8 05:29:11 2026 Received: from mail-ot1-f67.google.com (mail-ot1-f67.google.com [209.85.210.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 40DE139DBD3 for ; Tue, 2 Jun 2026 21:11:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=209.85.210.67 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780434666; cv=pass; b=S2oWv0NCeM+CTS9PWeFWWUG7aqpT0kW0gGMXfJK/XndpNvi6rTB322707Ut4SzhV7JkZZHDhQGfnjwiCePp3lEryCtkFciZfciTMdaKP1eQ+Rgz6ASpM7E49vMCysvi2kNsqVFyz9fd5u6w1hqJV0WvjrAEuwON9jlwXybTaMPs= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780434666; c=relaxed/simple; bh=IAWOulyn60q5CU5nFcEIg2txVq35DKFJNgeRnC6hixc=; h=MIME-Version:From:Date:Message-ID:Subject:To:Content-Type; b=YBgdeP7ACrDknrzLnEd2qZpzzpxCAEC0bNe4KSa+E5y5PjYhaAFFlg8KeljvpUZ8KeMWPc1XQbFQ3xH/W3vcACJqfsNV9DQGnz5cW5+bx6U1pOBAk0fbCElH0ew4baNPy4rcMoGtARMHLw816sVd7DxA78L4tWTxmubOVhecBEs= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=MblmTJTy; arc=pass smtp.client-ip=209.85.210.67 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="MblmTJTy" Received: by mail-ot1-f67.google.com with SMTP id 46e09a7af769-7e6d991991dso947083a34.3 for ; Tue, 02 Jun 2026 14:11:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780434664; cv=none; d=google.com; s=arc-20240605; b=ehIIG8WLLt+F4c/vO8pY+nBAHrJtcpaZ3lMTJ4x+2IHsPHDWaw1GnPCB6MbRj+19Pk B1k0mB1ZEG00Jz0AGzRwjzJGZqLKdGpRKHWXTm8x+UhLLGGa7F4B029n6Kn4oy5UIgsd SJ53wmVQbJd0FCH5cRXw4Nw5QXg3QzCzJibvFp0Fi1inuhQ1Ws1BJx6uUWjTy1/Siwlk ysczgtrbPNgdUzmAwXrRgets/YwJnHsQprzdPT3vD4mK+7LMJqKLMKcIlrFOZYzazqP7 VRgpomUKdBVh6vaEQZCAZem5iaYMqBwDWu6qi9jHbSQ6YdPTqi250boGHRp1tkDKZETo kPdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=RkS7VxSSYQtTbcXAPMSGUiHQM/PKSapt1RSCo5tDvpc=; fh=QCbVzrb1tdXLlIt9GvWLrarpV3dIZcdLw5mJ6MY79Hc=; b=OS3klvRqdHyV3pImr1khMiV1AuWviP9JiK0fbvRWdWBPJLvpXeu1lSiwOMo55OFsVm OAnUkg1Pv/m1LkV9uNTBzVihZncAUcvBrY/n4hKTjjY0Aave6LbaOaekEkZbo1G62lda 62BmUXyfYmEXJaDc4cuRq5NKffc/ahmnoLKicel9Qa9YqI4RAWiBe0Pv6cRW33Yz/bMg JpnJ/91znivsxoI5o8KKji4bEwjHdV7MkSEm/KglTGiHXZSnJ3IGwkTWtDM3xWp2vHjE I4AXcyT/ywKqva+60qa2riC8A8zEAmjv6P740HWaXFdgxVRY3jCJRptj2thRSFbkKos6 7dUg==; darn=vger.kernel.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780434664; x=1781039464; darn=vger.kernel.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=RkS7VxSSYQtTbcXAPMSGUiHQM/PKSapt1RSCo5tDvpc=; b=MblmTJTyen99EdWk+Rb9cKyrLa70lf7HqxLKsI+2L4T6rq2RMF/RY6QsyRRpc67Y2x 4/wMiSmyjC+30fqnzUf8TJXtNZwNQkPKs7pK22hK81L1d80bdI/oW0pNVu3N2shHOHCP sHLqJpbqP65u4pVobFp79yL4+ZNoVJ2TJHp5aOcY1gMgkrV0j/Tm4rMu2DCCMcBGTu6O O5GfiHwFzfSjyBtnc9SM04TMhNNc6cQryVp33zmqYwJHRKDlSEJPiSmKIbONDcL6GvUp fCzhqJCiYWB6oh+zkBe9T+GgzQnBhcDG2QgoJvY1XAqaO4sKEkWhwcQaIidLuRp5UWCj L5nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780434664; x=1781039464; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=RkS7VxSSYQtTbcXAPMSGUiHQM/PKSapt1RSCo5tDvpc=; b=RvjyCCZmeMzAJlRfAwef7sh0xC9O+Ecquulv7mik5GYDPPziC9CnPffSHgGFG+pEcK uSl+er8iLOaLzoDh5MU5UhD2glk/sKV3J8Ofn8zyw3ecoFqAXljJu8Jb6WXF3StZhxsx JAaNrT7TqlmthhDjxetGf42bWBdWaTdVNGyilupZ5Q1E4d4mh8ULKQcESH7mhZq4Vs94 rlV8KtLJnijYevwtam6OxXr/ekxNeQEXHDZXCxH+Zx61big+xvwJ4oQjel5lONragoen 8xl1yHJUuI0S+FEIgYR8i+oidw1Yk5pHTPWGH7l65IhjWvzS4+7kbIh/Anl2NFuGbjBC FBow== X-Forwarded-Encrypted: i=1; AFNElJ87FUmM97xDl61GTrn3jxiiBtiHZqHffaoxhquf/7BJQTDMG3/7t5Z8t3gJIyunQMtrF77hYDlwqchmYEg=@vger.kernel.org X-Gm-Message-State: AOJu0YzptQrdJ1AMYtNySsL2tg33IH8FTwXoTTzrJNedjysJNWcKRN/2 sc39cu2GHZuhs70tfqPPh8ted4PdqWVBJEov9bDcL0ABSgaAFv3KzvbLE/r8zv8PmLj4P5bsvaD vfWyeiePI5cIwHVf9FLZ5xTIAfJlLjg== X-Gm-Gg: Acq92OFu0AcWiGf4se+jdskym9zMjNm0O9V+CnSC2tu7eF0CQD6eO1yrCHf/QvK7DnU kRwhqxG3CemFYX/Du6pxHbBoscSDlNb1VEJWGD+e3tMxN1EI+gbIUXyIQ4TcPrlErtJAZ58OTrR F34Ibxw1WpBWG/EX6n+azRobNy5iv1aVzFk6YP59bZga4q6DavPxWtudfUMN05zHEItXFLhkMAb eLP7oiG54oMUVb71/aya8/ZfLacDA6tQJPhQTpSIBo1sWny9OMseZ92oup/2xdj9VtI11WEBok3 2iyhaENqQfau4M09qMqmEi8qPOxd X-Received: by 2002:a05:6830:640a:b0:7d9:f50f:9691 with SMTP id 46e09a7af769-7e6e8fb2c4emr243406a34.0.1780434664207; Tue, 02 Jun 2026 14:11:04 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Jordan Walters Date: Tue, 2 Jun 2026 17:10:53 -0400 X-Gm-Features: AVHnY4Jo5j5KsMdE0_CjnH7Dr2uUfnQcjxp_TER95-FV2ehI-A5QpChFeKKfKQo Message-ID: Subject: [PATCH] Bluetooth: Fix Use-After-Free in hci_unregister_dev To: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The hci_unregister_dev() function fails to disable the cmd_timer and ncmd_t= imer before freeing the hci_dev structure. If an asynchronous event or timeout o= ccurs during device teardown, the timer callbacks may execute after the device has been freed, leading to a KASAN slab-use-after-free panic. This patch adds the necessary disable_delayed_work_sync() calls to securely flush the timers before the teardown sequence proceeds. Signed-off-by: Jordan Walters --- diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index a1b2c3d4e..f5g6h7i8j 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -2671,6 +2671,8 @@ void hci_unregister_dev(struct hci_dev *hdev) hci_dev_do_close(hdev); hci_cancel_cmd_sync(hdev, -ENODEV); + disable_delayed_work_sync(&hdev->cmd_timer); + disable_delayed_work_sync(&hdev->ncmd_timer); /* Sync with hci_rx_work */ cancel_work_sync(&hdev->rx_work);