[PW_SID:1104912] Bluetooth: Fix Use-After-Free in hci_unregister_dev

[BluezTestBot]

The hci_unregister_dev() function fails to disable the cmd_timer and ncmd_timer
before freeing the hci_dev structure. If an asynchronous event or timeout occurs
during device teardown, the timer callbacks may execute after the device has
been freed, leading to a KASAN slab-use-after-free panic.

This patch adds the necessary disable_delayed_work_sync() calls to securely flush
the timers before the teardown sequence proceeds.

Signed-off-by: Jordan Walters gloambit@gloam.sh

net/bluetooth/hci_core.c | 2 ++
1 file changed, 2 insertions(+)

[github-actions]

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.73 seconds
Result: FAIL
Output:

Bluetooth: Fix Use-After-Free in hci_unregister_dev
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#94: 
The hci_unregister_dev() function fails to disable the cmd_timer and ncmd_timer

WARNING: From:/Signed-off-by: email address mismatch: 'From: Jordan Walters <jaggyaur@gmail.com>' != 'Signed-off-by: Jordan Walters <gloambit@gloam.sh>'

total: 0 errors, 2 warnings, 0 checks, 8 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/patch/14608047.patch has style problems, please review.

NOTE: Ignored message types: UNKNOWN_COMMIT_ID

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

[github-actions]

VerifyFixes
Desc: Verify Fixes tag format and validity
Duration: 0.14 seconds
Result: PASS

[github-actions]

VerifySignedoff
Desc: Verify Signed-off-by chain
Duration: 0.14 seconds
Result: PASS

[github-actions]

GitLint
Desc: Run gitlint
Duration: 0.34 seconds
Result: FAIL
Output:

Bluetooth: Fix Use-After-Free in hci_unregister_dev

8: B1 Line exceeds max length (81>80): "This patch adds the necessary disable_delayed_work_sync() calls to securely flush"

[github-actions]

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.13 seconds
Result: PASS

[github-actions]

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 25.42 seconds
Result: PASS

[github-actions]

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 27.84 seconds
Result: PASS

[github-actions]

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 27.29 seconds
Result: PASS

[github-actions]

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 25.11 seconds
Result: PASS

[github-actions]

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 528.65 seconds
Result: PASS

[github-actions]

TestRunner_l2cap-tester
Desc: Run l2cap-tester with test-runner
Duration: 61.14 seconds
Result: PASS

[github-actions]

TestRunner_iso-tester
Desc: Run iso-tester with test-runner
Duration: 81.68 seconds
Result: PASS

[github-actions]

TestRunner_bnep-tester
Desc: Run bnep-tester with test-runner
Duration: 19.35 seconds
Result: PASS

[github-actions]

TestRunner_mgmt-tester
Desc: Run mgmt-tester with test-runner
Duration: 212.14 seconds
Result: FAIL
Output:

Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.239 seconds

[github-actions]

TestRunner_rfcomm-tester
Desc: Run rfcomm-tester with test-runner
Duration: 25.82 seconds
Result: PASS

[github-actions]

TestRunner_sco-tester
Desc: Run sco-tester with test-runner
Duration: 32.74 seconds
Result: PASS

[github-actions]

TestRunner_ioctl-tester
Desc: Run ioctl-tester with test-runner
Duration: 26.06 seconds
Result: PASS

[github-actions]

TestRunner_mesh-tester
Desc: Run mesh-tester with test-runner
Duration: 26.17 seconds
Result: FAIL
Output:

Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.518 seconds
Mesh - Send cancel - 2                               Timed out    1.991 seconds

[github-actions]

TestRunner_smp-tester
Desc: Run smp-tester with test-runner
Duration: 23.85 seconds
Result: PASS

[github-actions]

TestRunner_userchan-tester
Desc: Run userchan-tester with test-runner
Duration: 20.29 seconds
Result: PASS

[github-actions]

TestRunner_6lowpan-tester
Desc: Run 6lowpan-tester with test-runner
Duration: 22.90 seconds
Result: PASS

[github-actions]

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 25.01 seconds
Result: PASS