CVE-2025-40284

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: MGMT: cancel mesh send timer when hdev removed<br /> <br /> mesh_send_done timer is not canceled when hdev is removed, which causes<br /> crash if the timer triggers after hdev is gone.<br /> <br /> Cancel the timer when MGMT removes the hdev, like other MGMT timers.<br /> <br /> Should fix the BUG: sporadically seen by BlueZ test bot<br /> (in "Mesh - Send cancel - 1" test).<br /> <br /> Log:<br /> ------<br /> BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0<br /> ...<br /> Freed by task 36:<br /> kasan_save_stack+0x24/0x50<br /> kasan_save_track+0x14/0x30<br /> __kasan_save_free_info+0x3a/0x60<br /> __kasan_slab_free+0x43/0x70<br /> kfree+0x103/0x500<br /> device_release+0x9a/0x210<br /> kobject_put+0x100/0x1e0<br /> vhci_release+0x18b/0x240<br /> ------