Re: [PATCH v4] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()

Next message: Laurent Pinchart: "Re: [PATCH v7 1/2] media: dt-bindings: Add CSI Pixel Formatter DT bindings"
Previous message: Viacheslav Dubeyko: "Re: [PATCH] nilfs2: Fix return in nilfs_mkdir"
In reply to: fourdim: "Re: [PATCH v4] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+bluetooth

Date: Wed May 20 2026 - 17:32:58 EST

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>:

On Sat, 16 May 2026 21:15:04 +0300 you wrote:
> bt_accept_dequeue() unlinks a not-yet-accepted child from the parent
> accept queue and release_sock()s it before returning, so the returned
> sk has no caller reference and is unlocked.
>
> l2cap_sock_cleanup_listen() walks these children on listening-socket
> close. A concurrent HCI disconnect drives hci_rx_work ->
> l2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and
> frees the child sk and its l2cap_chan; cleanup_listen() then uses both:
>
> [...]

Here is the summary with links:
- [v4] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
https://git.kernel.org/bluetooth/bluetooth-next/c/0b580042a1a5

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html