Linux Kernel Bluetooth hci_qca Driver Timer Management Vulnerability

A vulnerability has been identified in the Linux kernel's Bluetooth subsystem, specifically within the hci_qca driver. This issue arises from improper timer management, where a timer can be freed while still active, leading to corruption of the timer list. The problem occurs because the del_timer() function is used instead of del_timer_sync(), creating a risk of freeing a timer that has not been properly deactivated. The vulnerability has been addressed by ensuring that del_timer_sync() is used before freeing the timer, and by rearranging the destruction of the associated work queue to prevent rearming of the timer via the workqueue.

Impact

The vulnerability could lead to a denial-of-service condition by causing timer list corruption, which can disrupt normal Bluetooth operations and potentially cause system instability.