Bluetooth: L2CAP: Fix use-after-free

author Zhengping Jiang <jiangzp@google.com>

Thu, 25 May 2023 00:04:15 +0000 (17:04 -0700)

committer Jakub Kicinski <kuba@kernel.org>

Thu, 29 Jun 2023 17:48:35 +0000 (10:48 -0700)
author Zhengping Jiang <jiangzp@google.com>
Thu, 25 May 2023 00:04:15 +0000 (17:04 -0700)
committer Jakub Kicinski <kuba@kernel.org>
Thu, 29 Jun 2023 17:48:35 +0000 (10:48 -0700)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c

index c5e8798..17ca13e 100644 (file)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6374,9 +6374,14 @@ static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
         if (!chan)
                 goto done;
  
+       chan = l2cap_chan_hold_unless_zero(chan);
+       if (!chan)
+               goto done;
+
         l2cap_chan_lock(chan);
         l2cap_chan_del(chan, ECONNREFUSED);
         l2cap_chan_unlock(chan);
+       l2cap_chan_put(chan);
  
  done:
         mutex_unlock(&conn->chan_lock);
author	Zhengping Jiang <jiangzp@google.com>
	Thu, 25 May 2023 00:04:15 +0000 (17:04 -0700)
committer	Jakub Kicinski <kuba@kernel.org>
	Thu, 29 Jun 2023 17:48:35 +0000 (10:48 -0700)