From nobody Tue Jun 16 01:38:00 2026 Received: from mail-4323.protonmail.ch (mail-4323.protonmail.ch [185.70.43.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DAB0923645D for ; Wed, 15 Apr 2026 03:23:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.70.43.23 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776223415; cv=none; b=pxnnK2O83iFhtmHZIbMwbn7E7/80q4RlIhRSFQT+NLq/rXPJfwk1s8Gf/SIBGsdb0kzpjKxs9m7tzwsgmnlAP92hEvdTN5yKaNnr9bwfCElROkbDz4GhpL8YtIUU/upKX656fiM8RgD3EwAakZwnsbmcGJ8G8zNVHnoFpEdplh8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776223415; c=relaxed/simple; bh=79NnhI7bCDmrrvdPYqDMbIEhlBfu3SM9O4PlX8ZvELM=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=XHozMMbxpk36ClB8+P4FnY9dJ04fhvW2Ha90M8fsIy/plFq2gIIfPzmrb7FSagvWfLFIDShmcEIxAHWo2BPVI0/OUGe0ZUma0uNkqOmBU/JzEqHKKy9+WDOCOh/Mh5ljDCaiySGrJ1bIs2De1YAh9YtEP3w3As6IktXlk1VlU3w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=innora.ai; spf=pass smtp.mailfrom=innora.ai; dkim=pass (2048-bit key) header.d=innora.ai header.i=@innora.ai header.b=hr+eH8YW; arc=none smtp.client-ip=185.70.43.23 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=innora.ai Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=innora.ai Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=innora.ai header.i=@innora.ai header.b="hr+eH8YW" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=innora.ai; s=protonmail2; t=1776223410; x=1776482610; bh=79NnhI7bCDmrrvdPYqDMbIEhlBfu3SM9O4PlX8ZvELM=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=hr+eH8YWvlTx+v+v3B+FwTHcXdeUMshnDgbjtgyFc7pfgI0eoL9veDIE9vP0zrjgV 4f+Pw6EPG8LvadtHhF/n21OOplJOBfxJEf7q16HXnCRl2W0Hd9NXVEJBvxhwenhmMl 9Jo1bCQI3izu6EehYxjiLRlOQXn7Xk/65Qc7Pqx+hkasLQutmHiMOL8hBnM/xu0VWJ jv8qbzHSTcx3fYpcRNaV1OAx/oV6dgkAb71W54b462O6NFLvRl+ZSH44PT+ou76g1C JiiN/+A08GMICzQLEx4en1RwoDq/OuggCO4rm7AE9j9gDK2Q2Qn9jyBYGvuFyAjYeo 5lLUKOTpPaBCA== Date: Wed, 15 Apr 2026 03:23:24 +0000 To: linux-bluetooth@vger.kernel.org From: Feng Ning Cc: linux-kernel@vger.kernel.org, marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com, Feng Ning , stable@vger.kernel.org Subject: [PATCH v3] Bluetooth: L2CAP: Fix ECRED reconf rsp channel teardown race Message-ID: <20260415032318.78543-1-feng@innora.ai> In-Reply-To: <20260415004725.39215-1-feng@innora.ai> References: <20260413044730.86315-1-feng@innora.ai> <20260415004725.39215-1-feng@innora.ai> Feedback-ID: 140578448:user:proton X-Pm-Message-ID: f3e83abcf2bacc3f195dc8187ed706236a2c5589 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The ECRED reconfiguration response tears down all channels that were part of a failed procedure. The handler iterates over conn->chan_l while holding conn->lock but l2cap_chan_hold() is called without first checking whether the reference count has already reached zero. A concurrent path (socket close, timer expiry) may drop the final reference outside conn->lock, causing a use-after-free when the response is handled. Replace l2cap_chan_hold() with l2cap_chan_hold_unless_zero() so that channels whose reference count has already been dropped are skipped safely. Add lockdep_assert_held(&conn->lock) to document the calling requirements. Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credi= t Based Mode") Cc: stable@vger.kernel.org # v5.7+ Signed-off-by: Feng Ning --- net/bluetooth/l2cap_core.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 77dec104a..191c38b4d 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -5466,6 +5466,8 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap= _conn *conn, =20 BT_DBG("result 0x%4.4x", result); =20 + lockdep_assert_held(&conn->lock); + if (!result) return 0; =20 @@ -5473,7 +5475,9 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap= _conn *conn, if (chan->ident !=3D cmd->ident) continue; =20 - l2cap_chan_hold(chan); + if (!l2cap_chan_hold_unless_zero(chan)) + continue; + l2cap_chan_lock(chan); =20 l2cap_chan_del(chan, ECONNRESET); --=20 2.49.0