CVE-2026-31500

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock<br /> <br /> btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET<br /> and Intel exception-info retrieval) without holding<br /> hci_req_sync_lock(). This lets it race against<br /> hci_dev_do_close() -&gt; btintel_shutdown_combined(), which also runs<br /> __hci_cmd_sync() under the same lock. When both paths manipulate<br /> hdev-&gt;req_status/req_rsp concurrently, the close path may free the<br /> response skb first, and the still-running hw_error path hits a<br /> slab-use-after-free in kfree_skb().<br /> <br /> Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it<br /> is serialized with every other synchronous HCI command issuer.<br /> <br /> Below is the data race report and the kasan report:<br /> <br /> BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined<br /> <br /> read of hdev-&gt;req_rsp at net/bluetooth/hci_sync.c:199<br /> by task kworker/u17:1/83:<br /> __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200<br /> __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223<br /> btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254<br /> hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030<br /> <br /> write/free by task ioctl/22580:<br /> btintel_shutdown_combined+0xd0/0x360<br /> drivers/bluetooth/btintel.c:3648<br /> hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246<br /> hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526<br /> <br /> BUG: KASAN: slab-use-after-free in<br /> sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202<br /> Read of size 4 at addr ffff888144a738dc<br /> by task kworker/u17:1/83:<br /> __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200<br /> __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223<br /> btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260