Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock

Summary

CVE	CVE-2026-31500
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-04-22 14:16:48 UTC
Updated	2026-04-22 14:16:48 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET and Intel exception-info retrieval) without holding hci_req_sync_lock(). This lets it race against hci_dev_do_close() -> btintel_shutdown_combined(), which also runs __hci_cmd_sync() under the same lock. When both paths manipulate hdev->req_status/req_rsp concurrently, the close path may free the response skb first, and the still-running hw_error path hits a slab-use-after-free in kfree_skb(). Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it is serialized with every other synchronous HCI command issuer. Below is the data race report and the kasan report: BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined read of hdev->req_rsp at net/bluetooth/hci_sync.c:199 by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254 hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030 write/free by task ioctl/22580: btintel_shutdown_combined+0xd0/0x360 drivers/bluetooth/btintel.c:3648 hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246 hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526 BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202 Read of size 4 at addr ffff888144a738dc by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 973bb97e5aee56edddaae3d5c96877101ad509c0 5f84e845648dfa86e42de5487f1a774b42f0444d git	Not specified
CNA	Linux	Linux	affected 973bb97e5aee56edddaae3d5c96877101ad509c0 e10a4cb72468686ffbe8bb2b0520e37f6be1a0c5 git	Not specified
CNA	Linux	Linux	affected 973bb97e5aee56edddaae3d5c96877101ad509c0 66696648af477dc87859e5e4b607112f5f29d010 git	Not specified
CNA	Linux	Linux	affected 973bb97e5aee56edddaae3d5c96877101ad509c0 f7d84737663ad4a120d2d8ef1561a4df91282c2e git	Not specified
CNA	Linux	Linux	affected 973bb97e5aee56edddaae3d5c96877101ad509c0 94d8e6fe5d0818e9300e514e095a200bd5ff93ae git	Not specified
CNA	Linux	Linux	affected 4.3	Not specified
CNA	Linux	Linux	unaffected 4.3 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.131 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.80 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.21 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.11 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/66696648af477dc87859e5e4b607112f5f29d010	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/f7d84737663ad4a120d2d8ef1561a4df91282c2e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/94d8e6fe5d0818e9300e514e095a200bd5ff93ae	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/e10a4cb72468686ffbe8bb2b0520e37f6be1a0c5	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/5f84e845648dfa86e42de5487f1a774b42f0444d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.