CVE-2025-39860

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()<br /> <br /> syzbot reported the splat below without a repro.<br /> <br /> In the splat, a single thread calling bt_accept_dequeue() freed sk<br /> and touched it after that.<br /> <br /> The root cause would be the racy l2cap_sock_cleanup_listen() call<br /> added by the cited commit.<br /> <br /> bt_accept_dequeue() is called under lock_sock() except for<br /> l2cap_sock_release().<br /> <br /> Two threads could see the same socket during the list iteration<br /> in bt_accept_dequeue():<br /> <br /> CPU1 CPU2 (close())<br /> ---- ----<br /> sock_hold(sk) sock_hold(sk);<br /> lock_sock(sk)