Commit fe49aa73 authored May 24, 2023 by Zhengping Jiang Committed by Greg Kroah-Hartman Aug 30, 2023

Bluetooth: L2CAP: Fix use-after-free



[ Upstream commit f752a0b334bb95fe9b42ecb511e0864e2768046f ]

Fix potential use-after-free in l2cap_le_command_rej.

Signed-off-by: Zhengping Jiang <jiangzp@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 22100df1

net/bluetooth/l2cap_core.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -5723,9 +5723,14 @@ static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
		if (!chan)
		goto done;

		chan = l2cap_chan_hold_unless_zero(chan);
		if (!chan)
		goto done;

		l2cap_chan_lock(chan);
		l2cap_chan_del(chan, ECONNREFUSED);
		l2cap_chan_unlock(chan);
		l2cap_chan_put(chan);

		done:
		mutex_unlock(&conn->chan_lock);