Bluetooth: L2CAP: Fix use-after-free

[ Upstream commit f752a0b334bb95fe9b42ecb511e0864e2768046f ] Fix potential use-after-free in l2cap_le_command_rej. Signed-off-by: Zhengping Jiang <jiangzp@google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Zhengping Jiang <jiangzp@google.com> 2023-05-24 17:04:15 -0700
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-08-23 17:52:25 +0200
commit: 149daab45922ab1ac7f0cbeacab7251a46bf5e63 (patch)
tree: 10367a0f3eba5322d27daaaee6184865a73980d0 /net
parent: de8677ccf8830d54af3f4388508bb2dda2b06525 (diff)
download: linux-149daab45922ab1ac7f0cbeacab7251a46bf5e63.tar.gz
linux-149daab45922ab1ac7f0cbeacab7251a46bf5e63.tar.bz2
linux-149daab45922ab1ac7f0cbeacab7251a46bf5e63.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 02fc9961464c..a7899857aee5 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6375,9 +6375,14 @@ static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
 	if (!chan)
 		goto done;
 
+	chan = l2cap_chan_hold_unless_zero(chan);
+	if (!chan)
+		goto done;
+
 	l2cap_chan_lock(chan);
 	l2cap_chan_del(chan, ECONNREFUSED);
 	l2cap_chan_unlock(chan);
+	l2cap_chan_put(chan);
 
 done:
 	mutex_unlock(&conn->chan_lock);
author	Zhengping Jiang <jiangzp@google.com>	2023-05-24 17:04:15 -0700
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2023-08-23 17:52:25 +0200
commit	149daab45922ab1ac7f0cbeacab7251a46bf5e63 (patch)
tree	10367a0f3eba5322d27daaaee6184865a73980d0 /net
parent	de8677ccf8830d54af3f4388508bb2dda2b06525 (diff)
download	linux-149daab45922ab1ac7f0cbeacab7251a46bf5e63.tar.gz linux-149daab45922ab1ac7f0cbeacab7251a46bf5e63.tar.bz2 linux-149daab45922ab1ac7f0cbeacab7251a46bf5e63.zip