[PATCH] Bluetooth: Fix Use-After-Free in hci_unregister_dev

Next message: Danilo Krummrich: "Re: [PATCH v6 0/3] Introduce DeviceContext"
Previous message: Bryan O'Donoghue: "Re: [PATCH v8 1/2] dt-bindings: phy: qcom: Add CSI2 C-PHY/DPHY schema"
Next in thread: Jordan Walters: "[PATCH] Bluetooth: Fix Use-After-Free in hci_unregister_dev"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jordan Walters

Date: Tue Jun 02 2026 - 17:06:36 EST

The hci_unregister_dev() function fails to disable the cmd_timer and ncmd_timer
before freeing the hci_dev structure. If an asynchronous event or timeout occurs
during device teardown, the timer callbacks may execute after the device has
been freed, leading to a KASAN slab-use-after-free panic.

This patch adds the necessary disable_delayed_work_sync() calls to
securely flush
the timers before the teardown sequence proceeds.

Signed-off-by: Jordan Walters <gloambit@xxxxxxxx>
---
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index a1b2c3d4e..f5g6h7i8j 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2671,6 +2671,8 @@ void hci_unregister_dev(struct hci_dev *hdev)
hci_dev_do_close(hdev);

hci_cancel_cmd_sync(hdev, -ENODEV);
+ disable_delayed_work_sync(&hdev->cmd_timer);
+ disable_delayed_work_sync(&hdev->ncmd_timer);

/* Sync with hci_rx_work */
cancel_work_sync(&hdev->rx_work);