diff options
| author | Jakub Kicinski <kuba@kernel.org> | 2025-09-01 12:32:05 -0700 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2025-09-01 12:32:05 -0700 |
| commit | 0dffd938db37333bd7cc4946feb8c2c5262197ad (patch) | |
| tree | c75b6f29d3c1976942f4949d7c232c0983935590 /net | |
| parent | 788bc43d8330511af433bf282021a8fecb6b9009 (diff) | |
| parent | 862c628108562d8c7a516a900034823b381d3cba (diff) | |
| download | linux-0dffd938db37333bd7cc4946feb8c2c5262197ad.tar.gz linux-0dffd938db37333bd7cc4946feb8c2c5262197ad.tar.bz2 linux-0dffd938db37333bd7cc4946feb8c2c5262197ad.zip | |
Merge tag 'for-net-2025-08-29' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth
Luiz Augusto von Dentz says:
====================
bluetooth pull request for net:
- vhci: Prevent use-after-free by removing debugfs files early
- L2CAP: Fix use-after-free in l2cap_sock_cleanup_listen()
* tag 'for-net-2025-08-29' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
Bluetooth: vhci: Prevent use-after-free by removing debugfs files early
====================
Link: https://patch.msgid.link/20250829191210.1982163-1-luiz.dentz@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/bluetooth/l2cap_sock.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index f4257c4d3052..814fb8610ac4 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1422,7 +1422,10 @@ static int l2cap_sock_release(struct socket *sock) if (!sk) return 0; + lock_sock_nested(sk, L2CAP_NESTING_PARENT); l2cap_sock_cleanup_listen(sk); + release_sock(sk); + bt_sock_unlink(&l2cap_sk_list, sk); err = l2cap_sock_shutdown(sock, SHUT_RDWR); |