[PATCH] Bluetooth: Fix Use-After-Free in hci_unregister

Linux bluetooth development
 help / color / mirror / Atom feed

* [PATCH] Bluetooth: Fix Use-After-Free in hci_unregister_dev
@ 2026-06-02 21:05 Jordan Walters
  2026-06-02 21:39 ` bluez.test.bot
  0 siblings, 1 reply; 3+ messages in thread
From: Jordan Walters @ 2026-06-02 21:05 UTC (permalink / raw)
  To: linux-bluetooth, linux-kernel; +Cc: Luiz Augusto von Dentz, marcel@holtmann.org

The hci_unregister_dev() function fails to disable the cmd_timer and ncmd_timer
before freeing the hci_dev structure. If an asynchronous event or timeout occurs
during device teardown, the timer callbacks may execute after the device has
been freed, leading to a KASAN slab-use-after-free panic.

This patch adds the necessary disable_delayed_work_sync() calls to
securely flush
the timers before the teardown sequence proceeds.

Signed-off-by: Jordan Walters <gloambit@gloam.sh>
---
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index a1b2c3d4e..f5g6h7i8j 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2671,6 +2671,8 @@ void hci_unregister_dev(struct hci_dev *hdev)
     hci_dev_do_close(hdev);

     hci_cancel_cmd_sync(hdev, -ENODEV);
+    disable_delayed_work_sync(&hdev->cmd_timer);
+    disable_delayed_work_sync(&hdev->ncmd_timer);

     /* Sync with hci_rx_work */
     cancel_work_sync(&hdev->rx_work);

^ permalink raw reply	[flat|nested] 3+ messages in thread

* RE: Bluetooth: Fix Use-After-Free in hci_unregister_dev
  2026-06-02 21:05 [PATCH] Bluetooth: Fix Use-After-Free in hci_unregister_dev Jordan Walters
@ 2026-06-02 21:39 ` bluez.test.bot
  0 siblings, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-06-02 21:39 UTC (permalink / raw)
  To: linux-bluetooth, jaggyaur

[-- Attachment #1: Type: text/plain, Size: 551 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/hci_core.c:2671
error: net/bluetooth/hci_core.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH] Bluetooth: Fix Use-After-Free in hci_unregister_dev
@ 2026-06-02 23:34 Jordan Walters
  2026-06-03  2:40 ` bluez.test.bot
  0 siblings, 1 reply; 3+ messages in thread
From: Jordan Walters @ 2026-06-02 23:34 UTC (permalink / raw)
  To: linux-bluetooth, linux-kernel

The hci_unregister_dev() function fails to disable the cmd_timer and ncmd_timer
before freeing the hci_dev structure. If an asynchronous event or timeout occurs
during device teardown, the timer callbacks may execute after the device has
been freed, leading to a KASAN slab-use-after-free panic.

This patch adds the necessary disable_delayed_work_sync() calls to securely flush
the timers before the teardown sequence proceeds.

Signed-off-by: Jordan Walters <gloambit@gloam.sh>
---
 net/bluetooth/hci_core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 28d7929dc59..1cbc666527c 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2671,6 +2671,8 @@ void hci_unregister_dev(struct hci_dev *hdev)
 	disable_work_sync(&hdev->tx_work);
 	disable_work_sync(&hdev->power_on);
 	disable_work_sync(&hdev->error_reset);
+	disable_delayed_work_sync(&hdev->cmd_timer);
+	disable_delayed_work_sync(&hdev->ncmd_timer);

 	hci_cmd_sync_clear(hdev);

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: Bluetooth: Fix Use-After-Free in hci_unregister_dev
  2026-06-02 23:34 [PATCH] " Jordan Walters
@ 2026-06-03  2:40 ` bluez.test.bot
  0 siblings, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-06-03  2:40 UTC (permalink / raw)
  To: linux-bluetooth, jaggyaur

[-- Attachment #1: Type: text/plain, Size: 3383 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1104912

---Test result---

Test Summary:
CheckPatch                    FAIL      0.73 seconds
VerifyFixes                   PASS      0.14 seconds
VerifySignedoff               PASS      0.14 seconds
GitLint                       FAIL      0.34 seconds
SubjectPrefix                 PASS      0.13 seconds
BuildKernel                   PASS      25.42 seconds
CheckAllWarning               PASS      27.84 seconds
CheckSparse                   PASS      27.29 seconds
BuildKernel32                 PASS      25.11 seconds
TestRunnerSetup               PASS      528.65 seconds
TestRunner_l2cap-tester       PASS      61.14 seconds
TestRunner_iso-tester         PASS      81.68 seconds
TestRunner_bnep-tester        PASS      19.35 seconds
TestRunner_mgmt-tester        FAIL      212.14 seconds
TestRunner_rfcomm-tester      PASS      25.82 seconds
TestRunner_sco-tester         PASS      32.74 seconds
TestRunner_ioctl-tester       PASS      26.06 seconds
TestRunner_mesh-tester        FAIL      26.17 seconds
TestRunner_smp-tester         PASS      23.85 seconds
TestRunner_userchan-tester    PASS      20.29 seconds
TestRunner_6lowpan-tester     PASS      22.90 seconds
IncrementalBuild              PASS      25.01 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
Bluetooth: Fix Use-After-Free in hci_unregister_dev
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#94: 
The hci_unregister_dev() function fails to disable the cmd_timer and ncmd_timer

WARNING: From:/Signed-off-by: email address mismatch: 'From: Jordan Walters <jaggyaur@gmail.com>' != 'Signed-off-by: Jordan Walters <gloambit@gloam.sh>'

total: 0 errors, 2 warnings, 0 checks, 8 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/patch/14608047.patch has style problems, please review.

NOTE: Ignored message types: UNKNOWN_COMMIT_ID

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: Fix Use-After-Free in hci_unregister_dev

8: B1 Line exceeds max length (81>80): "This patch adds the necessary disable_delayed_work_sync() calls to securely flush"
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.239 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.518 seconds
Mesh - Send cancel - 2                               Timed out    1.991 seconds


https://github.com/bluez/bluetooth-next/pull/278

---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-03  2:40 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-02 21:05 [PATCH] Bluetooth: Fix Use-After-Free in hci_unregister_dev Jordan Walters
2026-06-02 21:39 ` bluez.test.bot
  -- strict thread matches above, loose matches on Subject: below --
2026-06-02 23:34 [PATCH] " Jordan Walters
2026-06-03  2:40 ` bluez.test.bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox