Merge tag 'v6.17.8' into linux-6.17.ylinux-6.17.y

This is the 6.17.8 stable release
author: saturneric <[email protected]> 2025-11-16 14:34:50 +0000
committer: saturneric <[email protected]> 2025-11-16 14:34:50 +0000
commit: 690862a8d74fee1e07f33dad44b761753f101779 (patch)
tree: f81bdcab8cd5a640518dba5056de6c62bd071eaf /net/bluetooth/sco.c
parent: Merge tag 'v6.17.7' into linux-6.17.y (diff)
parent: Linux 6.17.8 (diff)
download: kernel-linux-6.17.y.tar.gz
kernel-linux-6.17.y.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index d382d980fd9a..ab0cf442d57b 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -498,6 +498,13 @@ static void sco_sock_kill(struct sock *sk)
 
 	BT_DBG("sk %p state %d", sk, sk->sk_state);
 
+	/* Sock is dead, so set conn->sk to NULL to avoid possible UAF */
+	if (sco_pi(sk)->conn) {
+		sco_conn_lock(sco_pi(sk)->conn);
+		sco_pi(sk)->conn->sk = NULL;
+		sco_conn_unlock(sco_pi(sk)->conn);
+	}
+
 	/* Kill poor orphan */
 	bt_sock_unlink(&sco_sk_list, sk);
 	sock_set_flag(sk, SOCK_DEAD);
author	saturneric <[email protected]>	2025-11-16 14:34:50 +0000
committer	saturneric <[email protected]>	2025-11-16 14:34:50 +0000
commit	690862a8d74fee1e07f33dad44b761753f101779 (patch)
tree	f81bdcab8cd5a640518dba5056de6c62bd071eaf /net/bluetooth/sco.c
parent	Merge tag 'v6.17.7' into linux-6.17.y (diff)
parent	Linux 6.17.8 (diff)
download	kernel-linux-6.17.y.tar.gz kernel-linux-6.17.y.zip