[PATCH] Bluetooth: Fix Use-After-Free in hci_unregister_dev

Next message: David Heidelberg via B4 Relay: "[PATCH v6 6/8] media: qcom: camss: csiphy-3ph: Update Gen2 v1.1 MIPI CSI-2 C-PHY init"
Previous message: David Heidelberg via B4 Relay: "[PATCH v6 7/8] media: qcom: camss: Account for C-PHY when calculating link frequency"
In reply to: Jordan Walters: "[PATCH] Bluetooth: Fix Use-After-Free in hci_unregister_dev"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jordan Walters

Date: Tue Jun 02 2026 - 19:35:26 EST

The hci_unregister_dev() function fails to disable the cmd_timer and ncmd_timer
before freeing the hci_dev structure. If an asynchronous event or timeout occurs
during device teardown, the timer callbacks may execute after the device has
been freed, leading to a KASAN slab-use-after-free panic.

This patch adds the necessary disable_delayed_work_sync() calls to securely flush
the timers before the teardown sequence proceeds.

Signed-off-by: Jordan Walters <gloambit@xxxxxxxx>
---
net/bluetooth/hci_core.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 28d7929dc59..1cbc666527c 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2671,6 +2671,8 @@ void hci_unregister_dev(struct hci_dev *hdev)
disable_work_sync(&hdev->tx_work);
disable_work_sync(&hdev->power_on);
disable_work_sync(&hdev->error_reset);
+ disable_delayed_work_sync(&hdev->cmd_timer);
+ disable_delayed_work_sync(&hdev->ncmd_timer);

hci_cmd_sync_clear(hdev);