Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_register_user() and l2cap_unregister_user() don't use conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap_conn_del(). This can lead to use-after-free and list corruption bugs, as reported by syzbot. Fix this by changing l2cap_register_user() and l2cap_unregister_user() to use conn->lock instead of hci_dev_lock(), ensuring consistent locking for the l2cap_conn structure.
Product status
efc30877bd4bc85fefe98d80af60fafc86e5775e (git) before 11a87dd5df428a4b79a84d2790cac7f3c73f1f0d
f87271d21dd4ee83857ca11b94e7b4952749bbae (git) before c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf
ab4eedb790cae44313759b50fe47da285e2519d5 (git) before da3000cbe4851458a22be38bb18c0689c39fdd5f
ab4eedb790cae44313759b50fe47da285e2519d5 (git) before 71030f3b3015a412133a805ff47970cdcf30c2b8
ab4eedb790cae44313759b50fe47da285e2519d5 (git) before 752a6c9596dd25efd6978a73ff21f3b592668f4a
18ab6b6078fa8191ca30a3065d57bf35d5635761 (git)
6.6.84 (semver) before 6.6.130
6.12.20 (semver) before 6.12.78
6.13.8 (semver) before 6.14
6.14
Any version before 6.14
6.6.130 (semver)
6.12.78 (semver)
6.18.20 (semver)
6.19.10 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/11a87dd5df428a4b79a84d2790cac7f3c73f1f0d
git.kernel.org/...c/c22a5e659959eb77c2fbb58a5adfaf3c3dab7abf
git.kernel.org/...c/da3000cbe4851458a22be38bb18c0689c39fdd5f
git.kernel.org/...c/71030f3b3015a412133a805ff47970cdcf30c2b8
git.kernel.org/...c/752a6c9596dd25efd6978a73ff21f3b592668f4a