* [PATCH v4] Bluetooth: hci_core: Fix UAF in hci_unregister_dev()
@ 2026-06-03 8:50 Jordan Walters
2026-06-03 12:39 ` [v4] " bluez.test.bot
2026-06-03 17:50 ` [PATCH v4] " patchwork-bot+bluetooth
0 siblings, 2 replies; 3+ messages in thread
From: Jordan Walters @ 2026-06-03 8:50 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel
hci_unregister_dev() does not disable cmd_timer and ncmd_timer
before the hci_dev structure is freed. If a timeout fires
during device teardown, the callback dereferences freed memory
(including the hdev->reset function pointer), leading to a
use-after-free.
Add disable_delayed_work_sync() calls alongside the existing
disable_work_sync() calls to ensure both timers are fully
quiesced before teardown proceeds.
Signed-off-by: Jordan Walters <jaggyaur@gmail.com>
---
v4: v3 accidentally resent older fix using cancel_delayed_work_sync.
This is the correct version using disable_delayed_work_sync.
net/bluetooth/hci_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 28d7929dc59..1cbc666527c 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2671,6 +2671,8 @@ void hci_unregister_dev(struct hci_dev *hdev)
disable_work_sync(&hdev->tx_work);
disable_work_sync(&hdev->power_on);
disable_work_sync(&hdev->error_reset);
+ disable_delayed_work_sync(&hdev->cmd_timer);
+ disable_delayed_work_sync(&hdev->ncmd_timer);
hci_cmd_sync_clear(hdev);
--
2.49.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* RE: [v4] Bluetooth: hci_core: Fix UAF in hci_unregister_dev()
2026-06-03 8:50 [PATCH v4] Bluetooth: hci_core: Fix UAF in hci_unregister_dev() Jordan Walters
@ 2026-06-03 12:39 ` bluez.test.bot
2026-06-03 17:50 ` [PATCH v4] " patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-06-03 12:39 UTC (permalink / raw)
To: linux-bluetooth, jaggyaur
[-- Attachment #1: Type: text/plain, Size: 2472 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1105168
---Test result---
Test Summary:
CheckPatch PASS 0.72 seconds
VerifyFixes PASS 0.14 seconds
VerifySignedoff PASS 0.13 seconds
GitLint PASS 0.33 seconds
SubjectPrefix PASS 0.13 seconds
BuildKernel PASS 25.12 seconds
CheckAllWarning PASS 27.85 seconds
CheckSparse PASS 26.29 seconds
BuildKernel32 PASS 24.34 seconds
TestRunnerSetup PASS 519.77 seconds
TestRunner_l2cap-tester FAIL 58.96 seconds
TestRunner_iso-tester PASS 75.65 seconds
TestRunner_bnep-tester PASS 19.41 seconds
TestRunner_mgmt-tester FAIL 209.19 seconds
TestRunner_rfcomm-tester PASS 25.68 seconds
TestRunner_sco-tester PASS 32.57 seconds
TestRunner_ioctl-tester PASS 26.29 seconds
TestRunner_mesh-tester FAIL 25.39 seconds
TestRunner_smp-tester PASS 23.55 seconds
TestRunner_userchan-tester PASS 19.76 seconds
TestRunner_6lowpan-tester PASS 22.67 seconds
IncrementalBuild PASS 24.73 seconds
Details
##############################
Test: TestRunner_l2cap-tester - FAIL
Desc: Run l2cap-tester with test-runner
Output:
Total: 96, Passed: 95 (99.0%), Failed: 1, Not Run: 0
Failed Test Cases
L2CAP BR/EDR Server - Set PHY 3M Failed 0.251 seconds
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.241 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.048 seconds
Mesh - Send cancel - 2 Timed out 1.988 seconds
https://github.com/bluez/bluetooth-next/pull/280
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v4] Bluetooth: hci_core: Fix UAF in hci_unregister_dev()
2026-06-03 8:50 [PATCH v4] Bluetooth: hci_core: Fix UAF in hci_unregister_dev() Jordan Walters
2026-06-03 12:39 ` [v4] " bluez.test.bot
@ 2026-06-03 17:50 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2026-06-03 17:50 UTC (permalink / raw)
To: Jordan Walters; +Cc: linux-bluetooth, linux-kernel
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Wed, 3 Jun 2026 04:50:47 -0400 you wrote:
> hci_unregister_dev() does not disable cmd_timer and ncmd_timer
> before the hci_dev structure is freed. If a timeout fires
> during device teardown, the callback dereferences freed memory
> (including the hdev->reset function pointer), leading to a
> use-after-free.
>
> Add disable_delayed_work_sync() calls alongside the existing
> disable_work_sync() calls to ensure both timers are fully
> quiesced before teardown proceeds.
>
> [...]
Here is the summary with links:
- [v4] Bluetooth: hci_core: Fix UAF in hci_unregister_dev()
https://git.kernel.org/bluetooth/bluetooth-next/c/eec3deaeaafe
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-03 17:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-03 8:50 [PATCH v4] Bluetooth: hci_core: Fix UAF in hci_unregister_dev() Jordan Walters
2026-06-03 12:39 ` [v4] " bluez.test.bot
2026-06-03 17:50 ` [PATCH v4] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox