Bug 2419935 (CVE-2025-40284)

Summary: CVE-2025-40284 kernel: Bluetooth: MGMT: cancel mesh send timer when hdev removed
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A use-after-free vulnerability exists in the Bluetooth MGMT subsystem of the Linux kernel. When a Bluetooth HCI device is removed, the mesh_send_done timer is not cancelled. If this timer fires after the device is freed, it accesses freed memory and causes a kernel crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-08 07:10:00 UTC 
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: cancel mesh send timer when hdev removed

mesh_send_done timer is not canceled when hdev is removed, which causes
crash if the timer triggers after hdev is gone.

Cancel the timer when MGMT removes the hdev, like other MGMT timers.

Should fix the BUG: sporadically seen by BlueZ test bot
(in "Mesh - Send cancel - 1" test).

Log:
------
BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0
...
Freed by task 36:
 kasan_save_stack+0x24/0x50
 kasan_save_track+0x14/0x30
 __kasan_save_free_info+0x3a/0x60
 __kasan_slab_free+0x43/0x70
 kfree+0x103/0x500
 device_release+0x9a/0x210
 kobject_put+0x100/0x1e0
 vhci_release+0x18b/0x240
------
Comment 1 Jon Moroney 2025-12-08 18:12:16 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025120718-CVE-2025-40284-9c41@gregkh/T