CVE-2026-31500

Summary

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock

btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET and Intel exception-info retrieval) without holding hci_req_sync_lock(). This lets it race against hci_dev_do_close() -> btintel_shutdown_combined(), which also runs __hci_cmd_sync() under the same lock. When both paths manipulate hdev->req_status/req_rsp concurrently, the close path may free the response skb first, and the still-running hw_error path hits a slab-use-after-free in kfree_skb().

Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it is serialized with every other synchronous HCI command issuer.

Below is the data race report and the kasan report:

BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined

read of hdev->req_rsp at net/bluetooth/hci_sync.c:199 by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254 hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030

write/free by task ioctl/22580: btintel_shutdown_combined+0xd0/0x360 drivers/bluetooth/btintel.c:3648 hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246 hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526

BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202 Read of size 4 at addr ffff888144a738dc by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260

Affected Software

VendorProductVersion RangeStatus
LinuxLinux973bb97e5aee56edddaae3d5c96877101ad509c0 < 7e041d0aad1d4d43d921ace052e04f4e2cacaed3affected
LinuxLinux973bb97e5aee56edddaae3d5c96877101ad509c0 < 5f84e845648dfa86e42de5487f1a774b42f0444daffected
LinuxLinux973bb97e5aee56edddaae3d5c96877101ad509c0 < e10a4cb72468686ffbe8bb2b0520e37f6be1a0c5affected
LinuxLinux973bb97e5aee56edddaae3d5c96877101ad509c0 < 66696648af477dc87859e5e4b607112f5f29d010affected
LinuxLinux973bb97e5aee56edddaae3d5c96877101ad509c0 < f7d84737663ad4a120d2d8ef1561a4df91282c2eaffected
LinuxLinux973bb97e5aee56edddaae3d5c96877101ad509c0 < 94d8e6fe5d0818e9300e514e095a200bd5ff93aeaffected
LinuxLinux4.3affected
LinuxLinux0 < 4.3unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.131 <= 6.6.*unaffected
LinuxLinux6.12.80 <= 6.12.*unaffected
LinuxLinux6.18.21 <= 6.18.*unaffected
LinuxLinux6.19.11 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References