From: Zhengping Jiang Date: Thu, 25 May 2023 00:04:15 +0000 (-0700) Subject: Bluetooth: L2CAP: Fix use-after-free X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=f752a0b334bb95fe9b42ecb511e0864e2768046f;p=users%2Fjedix%2Flinux-maple.git Bluetooth: L2CAP: Fix use-after-free Fix potential use-after-free in l2cap_le_command_rej. Signed-off-by: Zhengping Jiang Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Jakub Kicinski --- diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index c5e8798e297c..17ca13e8c044 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -6374,9 +6374,14 @@ static inline int l2cap_le_command_rej(struct l2cap_conn *conn, if (!chan) goto done; + chan = l2cap_chan_hold_unless_zero(chan); + if (!chan) + goto done; + l2cap_chan_lock(chan); l2cap_chan_del(chan, ECONNREFUSED); l2cap_chan_unlock(chan); + l2cap_chan_put(chan); done: mutex_unlock(&conn->chan_lock);