In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcicore: cancel all works upon hciunregisterdev() syzbot is reporting that calling hcireleasedev() from hcierrorreset() due to hcidevput() from hcierrorreset() can cause deadlock at destroyworkqueue(), for hcierrorreset() is called from hdev->reqworkqueue which destroyworkqueue() needs to flush. We need to make sure that hdev->{rxwork,cmdwork,txwork} which are queued into hdev->workqueue and hdev->{poweron,errorreset} which are queued into hdev->reqworkqueue are no longer running by the moment destroyworkqueue(hdev->workqueue); destroyworkqueue(hdev->reqworkqueue); are called from hcireleasedev(). Call cancelworksync() on these work items from hciunregisterdev() as soon as hdev->list is removed from hcidev_list.