git.ipfire.org Git - thirdparty/kernel/linux.git/commit

Bluetooth: serialize accept_q access

bt_sock_poll() walks the accept queue without synchronization, while
child teardown can unlink the same socket and drop its last reference.
The unsynchronized accept queue walk has existed since the initial
Bluetooth import.

Protect accept_q with a dedicated lock for queue updates and polling.
Also rework bt_accept_dequeue() to take temporary child references under
the queue lock before dropping it and locking the child socket.

Fixes: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reported-by: Jann Horn <jannh@google.com>
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Reviewed-by: Jann Horn <jannh@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

author	Jiexun Wang <wangjiexun2025@gmail.com>
	Wed, 6 May 2026 11:43:30 +0000 (19:43 +0800)
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	Thu, 14 May 2026 13:49:56 +0000 (09:49 -0400)
commit	e83f5e24da741fa9405aeeff00b08c5ee7c37b88
tree	68e01705070c1cfe3fdc983259ed529301d4550d	tree \| snapshot
parent	c78bdba7b9666020c0832150a4fc4c0aebc7c6ac	commit \| diff

include/net/bluetooth/bluetooth.h		diff \| blob \| blame \| history
net/bluetooth/af_bluetooth.c		diff \| blob \| blame \| history