Skip to content

[PW_SID:1098163] Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_new_connection_cb()#221

Open
BluezTestBot wants to merge 6 commits into
workflowfrom
1098163
Open

[PW_SID:1098163] Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_new_connection_cb()#221
BluezTestBot wants to merge 6 commits into
workflowfrom
1098163

Conversation

@BluezTestBot
Copy link
Copy Markdown

@BluezTestBot BluezTestBot commented May 20, 2026

l2cap_sock_new_connection_cb() accesses l2cap_pi(sk)->chan after
release_sock(parent). Once the parent lock is released, the child
socket sk can be freed by another task.

Allocate the channel outside the func to prevent this.

Fixes: 8ffb929 ("Bluetooth: Remove parent socket usage from l2cap_core.c")
Cc: stable@kernel.org
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Siwei Zhang oss@fourdim.xyz

include/net/bluetooth/l2cap.h | 8 +++--
net/bluetooth/6lowpan.c | 14 ++++-----
net/bluetooth/l2cap_core.c | 58 ++++++++++++++++++++++++++++-------
net/bluetooth/l2cap_sock.c | 48 +++++++++++++++++------------
net/bluetooth/smp.c | 13 +++-----
5 files changed, 91 insertions(+), 50 deletions(-)

tedd-an and others added 6 commits May 13, 2026 17:39
@tedd-an @Vudentz
workflow: Add workflow files for ci
233c3f2 
This patch adds workflow files for ci:

[sync.yml]
 - The workflow file for scheduled work
 - Sync the repo with upstream repo and rebase the workflow branch
 - Review the patches in the patchwork and creates the PR if needed

[ci.yml]
 - The workflow file for CI tasks
 - Run CI tests when PR is created

Signed-off-by: Tedd Ho-Jeong An <tedd.an@intel.com>
@Vudentz
workflows: Make use bluez/action-ci action
e8329bd 
This replaces the bzcafe action with bluez/action-ci so we can maintain
everything in the github bluez organization

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
@Vudentz
workflow/sync: Attempt to sync every 5 minutes
21607fe 
This attempts to sync every 5 minutes instead of 30.

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
@Vudentz
workflow/sync: Set workflow to use worflow branch
cc49aee 
bluez/action-ci uses master as default branch for workflow which is
incorrect for kernel

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
@Vudentz
workflow/ci: Add checks:write permission and explicit reopened trigger
b227437 
The CI action now creates individual GitHub Check Runs per test, which
requires 'checks: write' permission on the GITHUB_TOKEN. Also make the
pull_request trigger types explicit to include 'reopened', allowing CI
to be retriggered by closing and reopening a PR.
@fourdim @Vudentz
Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_new_connection_cb()
2a74275 
l2cap_sock_new_connection_cb() accesses l2cap_pi(sk)->chan after
release_sock(parent). Once the parent lock is released, the child
socket sk can be freed by another task.

Allocate the channel outside the func to prevent this.

Fixes: 8ffb929 ("Bluetooth: Remove parent socket usage from l2cap_core.c")
Cc: stable@kernel.org
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

CheckPatch
Desc: Run checkpatch.pl script
Duration: 1.67 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

GitLint
Desc: Run gitlint
Duration: 0.34 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.13 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 24.93 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 27.79 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 26.40 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 24.49 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 521.38 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

TestRunner_l2cap-tester
Desc: Run l2cap-tester with test-runner
Duration: 376.22 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

TestRunner_smp-tester
Desc: Run smp-tester with test-runner
Duration: 17.96 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

TestRunner_6lowpan-tester
Desc: Run 6lowpan-tester with test-runner
Duration: 50.91 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 24.22 seconds
Result: PASS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area:l2cap area:smp area:6lowpan

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@BluezTestBot @tedd-an @Vudentz @fourdim