Re: [PATCH v4] Bluetooth: hci_core: Fix UAF in hci_unregister_dev()

Next message: patchwork-bot+bluetooth: "Re: [PATCH] Bluetooth: btmtk: Disable remote wakeup for MT7922/MT7925"
Previous message: patchwork-bot+bluetooth: "Re: [PATCH v2] Bluetooth: eir: Fix stack OOB write when prepending the Flags AD"
In reply to: Jordan Walters: "[PATCH v4] Bluetooth: hci_core: Fix UAF in hci_unregister_dev()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+bluetooth

Date: Wed Jun 03 2026 - 13:52:47 EST

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>:

On Wed, 3 Jun 2026 04:50:47 -0400 you wrote:
> hci_unregister_dev() does not disable cmd_timer and ncmd_timer
> before the hci_dev structure is freed. If a timeout fires
> during device teardown, the callback dereferences freed memory
> (including the hdev->reset function pointer), leading to a
> use-after-free.
>
> Add disable_delayed_work_sync() calls alongside the existing
> disable_work_sync() calls to ensure both timers are fully
> quiesced before teardown proceeds.
>
> [...]

Here is the summary with links:
- [v4] Bluetooth: hci_core: Fix UAF in hci_unregister_dev()
https://git.kernel.org/bluetooth/bluetooth-next/c/eec3deaeaafe

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html