CVE-2025-40318

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once<br /> <br /> hci_cmd_sync_dequeue_once() does lookup and then cancel<br /> the entry under two separate lock sections. Meanwhile,<br /> hci_cmd_sync_work() can also delete the same entry,<br /> leading to double list_del() and "UAF".<br /> <br /> Fix this by holding cmd_sync_work_lock across both<br /> lookup and cancel, so that the entry cannot be removed<br /> concurrently.