[PATCH v2] Bluetooth: L2CAP: Fix ECRED reconf rsp channel teardown race
From: Feng Ning
Date: Tue Apr 14 2026 - 20:48:13 EST
From: feng <feng@xxxxxxxxx>
The ECRED reconfiguration response tears down all channels that were part
of a failed procedure. The handler iterates over conn->chan_l while
holding conn->lock but it called l2cap_chan_del() without taking an extra
reference and without the per-channel lock. Other paths (socket close,
timer expiry, etc.) may drop the final reference outside conn->lock,
causing a use-after-free when the response is handled.
Take a temporary reference with l2cap_chan_hold_unless_zero(), perform
the deletion under the channel lock, and drop the reference afterwards.
Add lockdep_assert_held(&conn->lock) to document the calling requirements.
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Cc: stable@xxxxxxxxxxxxxxx # v5.7+
Signed-off-by: Feng Ning <feng@xxxxxxxxx>
---
net/bluetooth/l2cap_core.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 95c65fece..08d2045ab 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5466,6 +5466,8 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
BT_DBG("result 0x%4.4x", result);
+ lockdep_assert_held(&conn->lock);
+
if (!result)
return 0;
@@ -5473,7 +5475,13 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
if (chan->ident != cmd->ident)
continue;
+ if (!l2cap_chan_hold_unless_zero(chan))
+ continue;
+
+ l2cap_chan_lock(chan);
l2cap_chan_del(chan, ECONNRESET);
+ l2cap_chan_unlock(chan);
+ l2cap_chan_put(chan);
}
return 0;
--
2.49.0