[PW_SID:1104625] Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_new_connection_cb() by BluezTestBot · Pull Request #273 · bluez/bluetooth-next

BluezTestBot · 2026-06-02T14:59:55Z

l2cap_sock_new_connection_cb() accesses l2cap_pi(sk)->chan after
release_sock(parent). Once the parent lock is released, the child
socket sk can be freed by another task.

Allocate the channel outside the func to prevent this.

Fixes: `8ffb929` ("Bluetooth: Remove parent socket usage from l2cap_core.c")
Cc: stable@kernel.org
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Siwei Zhang oss@fourdim.xyz

include/net/bluetooth/l2cap.h | 8 ++--
net/bluetooth/6lowpan.c | 32 +++++++++------
net/bluetooth/l2cap_core.c | 60 ++++++++++++++++++++-------
net/bluetooth/l2cap_sock.c | 76 ++++++++++++++++++++++-------------
net/bluetooth/smp.c | 18 ++++-----
5 files changed, 126 insertions(+), 68 deletions(-)

l2cap_sock_new_connection_cb() accesses l2cap_pi(sk)->chan after release_sock(parent). Once the parent lock is released, the child socket sk can be freed by another task. Allocate the channel outside the func to prevent this. Fixes: 8ffb929 ("Bluetooth: Remove parent socket usage from l2cap_core.c") Cc: stable@kernel.org Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Siwei Zhang <oss@fourdim.xyz>

github-actions · 2026-06-02T15:13:55Z

CheckPatch
Desc: Run checkpatch.pl script
Duration: 2.73 seconds
Result: PASS

github-actions · 2026-06-02T15:13:58Z

VerifyFixes
Desc: Verify Fixes tag format and validity
Duration: 0.12 seconds
Result: PASS

github-actions · 2026-06-02T15:14:01Z

VerifySignedoff
Desc: Verify Signed-off-by chain
Duration: 0.12 seconds
Result: PASS

github-actions · 2026-06-02T15:14:03Z

GitLint
Desc: Run gitlint
Duration: 0.30 seconds
Result: PASS

github-actions · 2026-06-02T15:14:06Z

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.11 seconds
Result: PASS

github-actions · 2026-06-02T15:14:38Z

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 25.05 seconds
Result: PASS

github-actions · 2026-06-02T15:15:12Z

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 27.86 seconds
Result: PASS

github-actions · 2026-06-02T15:15:45Z

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 26.23 seconds
Result: PASS

github-actions · 2026-06-02T15:16:16Z

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 24.55 seconds
Result: PASS

github-actions · 2026-06-02T15:25:15Z

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 535.77 seconds
Result: PASS

github-actions · 2026-06-02T15:26:17Z

TestRunner_l2cap-tester
Desc: Run l2cap-tester with test-runner
Duration: 59.84 seconds
Result: PASS

github-actions · 2026-06-02T15:26:43Z

TestRunner_smp-tester
Desc: Run smp-tester with test-runner
Duration: 23.74 seconds
Result: PASS

github-actions · 2026-06-02T15:27:09Z

TestRunner_6lowpan-tester
Desc: Run 6lowpan-tester with test-runner
Duration: 23.40 seconds
Result: PASS

github-actions · 2026-06-02T15:27:41Z

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 24.33 seconds
Result: PASS

github-actions Bot added area:6lowpan area:l2cap area:smp labels Jun 2, 2026

Conversation

BluezTestBot commented Jun 2, 2026

Fixes: 8ffb929 ("Bluetooth: Remove parent socket usage from l2cap_core.c") Cc: stable@kernel.org Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Siwei Zhang oss@fourdim.xyz

Uh oh!

github-actions Bot commented Jun 2, 2026

Uh oh!

github-actions Bot commented Jun 2, 2026

Uh oh!

github-actions Bot commented Jun 2, 2026

Uh oh!

github-actions Bot commented Jun 2, 2026

Uh oh!

github-actions Bot commented Jun 2, 2026

Uh oh!

github-actions Bot commented Jun 2, 2026

Uh oh!

github-actions Bot commented Jun 2, 2026

Uh oh!

github-actions Bot commented Jun 2, 2026

Uh oh!

github-actions Bot commented Jun 2, 2026

Uh oh!

github-actions Bot commented Jun 2, 2026

Uh oh!

github-actions Bot commented Jun 2, 2026

Uh oh!

github-actions Bot commented Jun 2, 2026

Uh oh!

github-actions Bot commented Jun 2, 2026

Uh oh!

github-actions Bot commented Jun 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Fixes: `8ffb929` ("Bluetooth: Remove parent socket usage from l2cap_core.c")
Cc: stable@kernel.org
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Siwei Zhang oss@fourdim.xyz