{"api_version":"1","generated_at":"2026-06-08T18:28:41+00:00","cve":"CVE-2026-46275","urls":{"html":"https://cve.report/CVE-2026-46275","api":"https://cve.report/api/cve/CVE-2026-46275.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-46275","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-46275"},"summary":{"title":"Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: fix UAFs and race conditions in close and init paths\n\nVulnerabilities leading to Use-After-Free (UAF) and Null Pointer\nDereference (NPD) conditions were observed in the lifecycle management\nof hci_uart.\n\nThe primary issue arises because the workqueues (init_ready and\nwrite_work) are only flushed/cancelled if the HCI_UART_PROTO_READY\nflag is set during TTY close. If a hangup occurs before setup completes,\nhci_uart_tty_close() skips the teardown of these workqueues and\nproceeds to free the `hu` struct. When the scheduled work executes\nlater, it blindly dereferences the freed `hu` struct.\n\nFurthermore, several data races and UAFs were identified in the teardown\nsequence:\n1. Calling hci_uart_flush() from hci_uart_close() without effectively\n   disabling write_work causes a race condition where both can concurrently\n   double-free hu->tx_skb. This happens because protocol timers can\n   concurrently invoke hci_uart_tx_wakeup() and requeue write_work.\n2. Calling hci_free_dev(hdev) before hu->proto->close(hu) causes a UAF\n   when vendor specific protocol close callbacks dereference hu->hdev.\n3. In the initialization error paths, failing to take the proto_lock\n   write lock before clearing PROTO_READY leads to races with active\n   readers. Additionally, hci_uart_tty_receive() accesses hu->hdev\n   outside the read lock, leading to UAFs if the initialization error\n   path frees hdev concurrently.\n\nFix these synchronization and lifecycle issues by:\n1. Re-ordering hci_uart_tty_close() to clear HCI_UART_PROTO_READY first,\n   followed immediately by a cancel_work_sync(&hu->write_work). Clearing\n   the flag locks out concurrent protocol timers from successfully invoking\n   hci_uart_tx_wakeup(), effectively rendering the cancellation permanent\n   and preventing the tx_skb double-free.\n2. Note: Clearing PROTO_READY early causes hci_uart_close() to skip\n   hu->proto->flush(). This is perfectly safe in the tty_close path\n   because hu->proto->close() executes shortly after, which intrinsically\n   purges all protocol SKB queues and tears down the state.\n3. Relocating hu->proto->close(hu) strictly prior to hci_free_dev(hdev)\n   across all close and error paths to prevent vendor-level UAFs.\n4. Moving the hdev->stat.byte_rx increment in hci_uart_tty_receive()\n   inside the proto_lock read-side critical section to safely synchronize\n   with device unregistration.\n5. Adding cancel_work_sync(&hu->write_work) to hci_uart_close() to safely\n   flush the workqueue before hci_uart_flush() is invoked via the HCI core.\n6. Utilizing cancel_work_sync() instead of disable_work_sync() across\n   all paths to prevent permanently breaking user-space retry capabilities.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-08 16:16:40","updated_at":"2026-06-08 16:16:40"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/192cb0f1ca706d9a1bc36ae0ad5f666d1e4fd894","name":"https://git.kernel.org/stable/c/192cb0f1ca706d9a1bc36ae0ad5f666d1e4fd894","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c85cff648a2bc92322912db5f1727ad05afae7b6","name":"https://git.kernel.org/stable/c/c85cff648a2bc92322912db5f1727ad05afae7b6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c1bb9336ae6b54a5f6a353c4bd4ed9a4307e429b","name":"https://git.kernel.org/stable/c/c1bb9336ae6b54a5f6a353c4bd4ed9a4307e429b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/e2d19969c8d9198ecc3090bcd5312ecd503a3339","name":"https://git.kernel.org/stable/c/e2d19969c8d9198ecc3090bcd5312ecd503a3339","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/78aad93e938f013d9272fe0ee168f27883afa95c","name":"https://git.kernel.org/stable/c/78aad93e938f013d9272fe0ee168f27883afa95c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/81c7a3c22a0f2808cf4ae0b4908f59763b23606d","name":"https://git.kernel.org/stable/c/81c7a3c22a0f2808cf4ae0b4908f59763b23606d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7338031946bd06f6dff149e67b60c4cd083bfea8","name":"https://git.kernel.org/stable/c/7338031946bd06f6dff149e67b60c4cd083bfea8","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9d20d48be2c4a071fb015eb09bda2cecd25daf34","name":"https://git.kernel.org/stable/c/9d20d48be2c4a071fb015eb09bda2cecd25daf34","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-46275","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46275","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3b799254cf6f481460719023d7a18f46651e5e7f 78aad93e938f013d9272fe0ee168f27883afa95c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3b799254cf6f481460719023d7a18f46651e5e7f e2d19969c8d9198ecc3090bcd5312ecd503a3339 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3b799254cf6f481460719023d7a18f46651e5e7f c85cff648a2bc92322912db5f1727ad05afae7b6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3b799254cf6f481460719023d7a18f46651e5e7f 9d20d48be2c4a071fb015eb09bda2cecd25daf34 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3b799254cf6f481460719023d7a18f46651e5e7f 81c7a3c22a0f2808cf4ae0b4908f59763b23606d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3b799254cf6f481460719023d7a18f46651e5e7f 192cb0f1ca706d9a1bc36ae0ad5f666d1e4fd894 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3b799254cf6f481460719023d7a18f46651e5e7f 7338031946bd06f6dff149e67b60c4cd083bfea8 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3b799254cf6f481460719023d7a18f46651e5e7f c1bb9336ae6b54a5f6a353c4bd4ed9a4307e429b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected cd27019bc149f20f12ebec943c2b4c775745a5a0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected aea63181b6fcb6b9ccde1ada9ea51be19c4015af git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0d234d1135dcd8876de0576dac68efd0a87eef87 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3fe978892ab46efc2f3830d9abc015eff72caaf9 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0d987e14bebaf0f67ee7dbefaf6165c62cd1d27f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.14.203 4.15 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.19.153 4.20 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.4.73 5.5 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.8.17 5.9 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.9.2 5.10 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.10","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.258 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.209 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.175 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.142 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.92 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.34 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.11 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1-rc5 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/bluetooth/hci_ldisc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"78aad93e938f013d9272fe0ee168f27883afa95c","status":"affected","version":"3b799254cf6f481460719023d7a18f46651e5e7f","versionType":"git"},{"lessThan":"e2d19969c8d9198ecc3090bcd5312ecd503a3339","status":"affected","version":"3b799254cf6f481460719023d7a18f46651e5e7f","versionType":"git"},{"lessThan":"c85cff648a2bc92322912db5f1727ad05afae7b6","status":"affected","version":"3b799254cf6f481460719023d7a18f46651e5e7f","versionType":"git"},{"lessThan":"9d20d48be2c4a071fb015eb09bda2cecd25daf34","status":"affected","version":"3b799254cf6f481460719023d7a18f46651e5e7f","versionType":"git"},{"lessThan":"81c7a3c22a0f2808cf4ae0b4908f59763b23606d","status":"affected","version":"3b799254cf6f481460719023d7a18f46651e5e7f","versionType":"git"},{"lessThan":"192cb0f1ca706d9a1bc36ae0ad5f666d1e4fd894","status":"affected","version":"3b799254cf6f481460719023d7a18f46651e5e7f","versionType":"git"},{"lessThan":"7338031946bd06f6dff149e67b60c4cd083bfea8","status":"affected","version":"3b799254cf6f481460719023d7a18f46651e5e7f","versionType":"git"},{"lessThan":"c1bb9336ae6b54a5f6a353c4bd4ed9a4307e429b","status":"affected","version":"3b799254cf6f481460719023d7a18f46651e5e7f","versionType":"git"},{"status":"affected","version":"cd27019bc149f20f12ebec943c2b4c775745a5a0","versionType":"git"},{"status":"affected","version":"aea63181b6fcb6b9ccde1ada9ea51be19c4015af","versionType":"git"},{"status":"affected","version":"0d234d1135dcd8876de0576dac68efd0a87eef87","versionType":"git"},{"status":"affected","version":"3fe978892ab46efc2f3830d9abc015eff72caaf9","versionType":"git"},{"status":"affected","version":"0d987e14bebaf0f67ee7dbefaf6165c62cd1d27f","versionType":"git"},{"lessThan":"4.15","status":"affected","version":"4.14.203","versionType":"semver"},{"lessThan":"4.20","status":"affected","version":"4.19.153","versionType":"semver"},{"lessThan":"5.5","status":"affected","version":"5.4.73","versionType":"semver"},{"lessThan":"5.9","status":"affected","version":"5.8.17","versionType":"semver"},{"lessThan":"5.10","status":"affected","version":"5.9.2","versionType":"semver"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/bluetooth/hci_ldisc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.10"},{"lessThan":"5.10","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.258","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.209","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.175","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.142","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.92","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.34","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.11","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1-rc5","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.258","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.209","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.175","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.142","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.92","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.34","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.11","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1-rc5","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.203","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.153","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.73","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8.17","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9.2","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: fix UAFs and race conditions in close and init paths\n\nVulnerabilities leading to Use-After-Free (UAF) and Null Pointer\nDereference (NPD) conditions were observed in the lifecycle management\nof hci_uart.\n\nThe primary issue arises because the workqueues (init_ready and\nwrite_work) are only flushed/cancelled if the HCI_UART_PROTO_READY\nflag is set during TTY close. If a hangup occurs before setup completes,\nhci_uart_tty_close() skips the teardown of these workqueues and\nproceeds to free the `hu` struct. When the scheduled work executes\nlater, it blindly dereferences the freed `hu` struct.\n\nFurthermore, several data races and UAFs were identified in the teardown\nsequence:\n1. Calling hci_uart_flush() from hci_uart_close() without effectively\n   disabling write_work causes a race condition where both can concurrently\n   double-free hu->tx_skb. This happens because protocol timers can\n   concurrently invoke hci_uart_tx_wakeup() and requeue write_work.\n2. Calling hci_free_dev(hdev) before hu->proto->close(hu) causes a UAF\n   when vendor specific protocol close callbacks dereference hu->hdev.\n3. In the initialization error paths, failing to take the proto_lock\n   write lock before clearing PROTO_READY leads to races with active\n   readers. Additionally, hci_uart_tty_receive() accesses hu->hdev\n   outside the read lock, leading to UAFs if the initialization error\n   path frees hdev concurrently.\n\nFix these synchronization and lifecycle issues by:\n1. Re-ordering hci_uart_tty_close() to clear HCI_UART_PROTO_READY first,\n   followed immediately by a cancel_work_sync(&hu->write_work). Clearing\n   the flag locks out concurrent protocol timers from successfully invoking\n   hci_uart_tx_wakeup(), effectively rendering the cancellation permanent\n   and preventing the tx_skb double-free.\n2. Note: Clearing PROTO_READY early causes hci_uart_close() to skip\n   hu->proto->flush(). This is perfectly safe in the tty_close path\n   because hu->proto->close() executes shortly after, which intrinsically\n   purges all protocol SKB queues and tears down the state.\n3. Relocating hu->proto->close(hu) strictly prior to hci_free_dev(hdev)\n   across all close and error paths to prevent vendor-level UAFs.\n4. Moving the hdev->stat.byte_rx increment in hci_uart_tty_receive()\n   inside the proto_lock read-side critical section to safely synchronize\n   with device unregistration.\n5. Adding cancel_work_sync(&hu->write_work) to hci_uart_close() to safely\n   flush the workqueue before hci_uart_flush() is invoked via the HCI core.\n6. Utilizing cancel_work_sync() instead of disable_work_sync() across\n   all paths to prevent permanently breaking user-space retry capabilities."}],"providerMetadata":{"dateUpdated":"2026-06-08T14:30:54.232Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/78aad93e938f013d9272fe0ee168f27883afa95c"},{"url":"https://git.kernel.org/stable/c/e2d19969c8d9198ecc3090bcd5312ecd503a3339"},{"url":"https://git.kernel.org/stable/c/c85cff648a2bc92322912db5f1727ad05afae7b6"},{"url":"https://git.kernel.org/stable/c/9d20d48be2c4a071fb015eb09bda2cecd25daf34"},{"url":"https://git.kernel.org/stable/c/81c7a3c22a0f2808cf4ae0b4908f59763b23606d"},{"url":"https://git.kernel.org/stable/c/192cb0f1ca706d9a1bc36ae0ad5f666d1e4fd894"},{"url":"https://git.kernel.org/stable/c/7338031946bd06f6dff149e67b60c4cd083bfea8"},{"url":"https://git.kernel.org/stable/c/c1bb9336ae6b54a5f6a353c4bd4ed9a4307e429b"}],"title":"Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-46275","datePublished":"2026-06-08T14:30:54.232Z","dateReserved":"2026-05-13T15:03:33.109Z","dateUpdated":"2026-06-08T14:30:54.232Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-08 16:16:40","lastModifiedDate":"2026-06-08 16:16:40","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"46275","Ordinal":"1","Title":"Bluetooth: hci_uart: fix UAFs and race conditions in close and i","CVE":"CVE-2026-46275","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"46275","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: fix UAFs and race conditions in close and init paths\n\nVulnerabilities leading to Use-After-Free (UAF) and Null Pointer\nDereference (NPD) conditions were observed in the lifecycle management\nof hci_uart.\n\nThe primary issue arises because the workqueues (init_ready and\nwrite_work) are only flushed/cancelled if the HCI_UART_PROTO_READY\nflag is set during TTY close. If a hangup occurs before setup completes,\nhci_uart_tty_close() skips the teardown of these workqueues and\nproceeds to free the `hu` struct. When the scheduled work executes\nlater, it blindly dereferences the freed `hu` struct.\n\nFurthermore, several data races and UAFs were identified in the teardown\nsequence:\n1. Calling hci_uart_flush() from hci_uart_close() without effectively\n   disabling write_work causes a race condition where both can concurrently\n   double-free hu->tx_skb. This happens because protocol timers can\n   concurrently invoke hci_uart_tx_wakeup() and requeue write_work.\n2. Calling hci_free_dev(hdev) before hu->proto->close(hu) causes a UAF\n   when vendor specific protocol close callbacks dereference hu->hdev.\n3. In the initialization error paths, failing to take the proto_lock\n   write lock before clearing PROTO_READY leads to races with active\n   readers. Additionally, hci_uart_tty_receive() accesses hu->hdev\n   outside the read lock, leading to UAFs if the initialization error\n   path frees hdev concurrently.\n\nFix these synchronization and lifecycle issues by:\n1. Re-ordering hci_uart_tty_close() to clear HCI_UART_PROTO_READY first,\n   followed immediately by a cancel_work_sync(&hu->write_work). Clearing\n   the flag locks out concurrent protocol timers from successfully invoking\n   hci_uart_tx_wakeup(), effectively rendering the cancellation permanent\n   and preventing the tx_skb double-free.\n2. Note: Clearing PROTO_READY early causes hci_uart_close() to skip\n   hu->proto->flush(). This is perfectly safe in the tty_close path\n   because hu->proto->close() executes shortly after, which intrinsically\n   purges all protocol SKB queues and tears down the state.\n3. Relocating hu->proto->close(hu) strictly prior to hci_free_dev(hdev)\n   across all close and error paths to prevent vendor-level UAFs.\n4. Moving the hdev->stat.byte_rx increment in hci_uart_tty_receive()\n   inside the proto_lock read-side critical section to safely synchronize\n   with device unregistration.\n5. Adding cancel_work_sync(&hu->write_work) to hci_uart_close() to safely\n   flush the workqueue before hci_uart_flush() is invoked via the HCI core.\n6. Utilizing cancel_work_sync() instead of disable_work_sync() across\n   all paths to prevent permanently breaking user-space retry capabilities.","Type":"Description","Title":"Bluetooth: hci_uart: fix UAFs and race conditions in close and i"}]}}}