From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 15 May 2026 15:03:32 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2a5a70397be602a33f91577c38ac89639ddd0a86;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch
---

diff --git a/queue-5.15/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch b/queue-5.15/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch
new file mode 100644
index 0000000000..ea81b2a8e8
--- /dev/null
+++ b/queue-5.15/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch
@@ -0,0 +1,33 @@
+From 78a88d43dab8d23aeef934ed8ce34d40e6b3d613 Mon Sep 17 00:00:00 2001
+From: Siwei Zhang <oss@fourdim.xyz>
+Date: Wed, 15 Apr 2026 16:53:36 -0400
+Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
+
+From: Siwei Zhang <oss@fourdim.xyz>
+
+commit 78a88d43dab8d23aeef934ed8ce34d40e6b3d613 upstream.
+
+Add the same NULL guard already present in
+l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
+
+Fixes: 8d836d71e222 ("Bluetooth: Access sk_sndtimeo indirectly in l2cap_core.c")
+Cc: stable@kernel.org
+Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_sock.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1715,6 +1715,9 @@ static long l2cap_sock_get_sndtimeo_cb(s
+ {
+ 	struct sock *sk = chan->data;
+ 
++	if (!sk)
++		return 0;
++
+ 	return sk->sk_sndtimeo;
+ }
+ 
diff --git a/queue-5.15/series b/queue-5.15/series
index 79cfac4740..20b1961b3e 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -382,3 +382,4 @@ batman-adv-stop-caching-unowned-originator-pointers-in-bat-iv.patch
 batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch
 batman-adv-bla-only-purge-non-released-claims.patch
 batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch
+bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch