Re: [PATCH v9] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths

Next message: Claudio Imbrenda: "[PATCH v3 0/5] KVM: s390: some vSIE and UCONTROL fixes"
Previous message: Komal Bajaj: "Re: [PATCH 2/2] remoteproc: qcom: pas: Add Shikra remoteproc support"
In reply to: w15303746062: "[PATCH v9] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+bluetooth

Date: Tue May 19 2026 - 11:16:54 EST

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>:

On Mon, 18 May 2026 10:49:49 +0800 you wrote:
> From: Mingyu Wang <25181214217@xxxxxxxxxxxxxxxxx>
>
> Vulnerabilities leading to Use-After-Free (UAF) and Null Pointer
> Dereference (NPD) conditions were observed in the lifecycle management
> of hci_uart.
>
> The primary issue arises because the workqueues (init_ready and
> write_work) are only flushed/cancelled if the HCI_UART_PROTO_READY
> flag is set during TTY close. If a hangup occurs before setup completes,
> hci_uart_tty_close() skips the teardown of these workqueues and
> proceeds to free the `hu` struct. When the scheduled work executes
> later, it blindly dereferences the freed `hu` struct.
>
> [...]

Here is the summary with links:
- [v9] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
https://git.kernel.org/bluetooth/bluetooth-next/c/7db62a762f61

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html