Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()

Summary

CVECVE-2026-53358
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-07-02 15:17:03 UTC
Updated2026-07-02 15:17:03 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() l2cap_chan_close() removes the channel from conn->chan_l, which must be done under conn->lock. cleanup_listen() runs under the parent sk_lock, so acquiring conn->lock would invert the established conn->lock -> chan->lock -> sk_lock order. Instead of calling l2cap_chan_close() directly, schedule l2cap_chan_timeout with delay 0 to close the channel asynchronously. The timeout handler already acquires conn->lock and chan->lock in the correct order. The timer is only armed when chan->conn is still set: if it is already NULL, l2cap_conn_del() has already processed this channel (l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb), so there is nothing left to do. If l2cap_conn_del() races in after the timer is armed, __clear_chan_timer() inside l2cap_chan_del() cancels it; if the timer has already fired, the handler returns harmlessly because chan->conn was cleared.

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 3df91ea20e744344100b10ae69a17211fcf5b207 3634cbdc2eb414b69ffa752ddbe5e0458518e321 git Not specified
CNA Linux Linux affected 3df91ea20e744344100b10ae69a17211fcf5b207 e1c100e2d61bd8c718b7d91fe3e050780a9bf72d git Not specified
CNA Linux Linux affected 3df91ea20e744344100b10ae69a17211fcf5b207 deb8493a8fa599f6c95e2465b12bfdfb7f94a1d9 git Not specified
CNA Linux Linux affected 3df91ea20e744344100b10ae69a17211fcf5b207 89dec92041717b027216e110599e4f6d6c921b79 git Not specified
CNA Linux Linux affected 3df91ea20e744344100b10ae69a17211fcf5b207 50dfec218808b148ab4247b1858031b7a32015c5 git Not specified
CNA Linux Linux affected 3df91ea20e744344100b10ae69a17211fcf5b207 859d3ace791ed878ae9ba5522c7844d960da8f88 git Not specified
CNA Linux Linux affected 3df91ea20e744344100b10ae69a17211fcf5b207 7555fd885a0603f50e49a655850a1f2bd8a25398 git Not specified
CNA Linux Linux affected 3df91ea20e744344100b10ae69a17211fcf5b207 8c8e620467a7b51562dbcefbd1f09f288d7d710d git Not specified
CNA Linux Linux affected 3.4 Not specified
CNA Linux Linux unaffected 3.4 semver Not specified
CNA Linux Linux unaffected 5.10.259 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.210 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.176 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.143 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.93 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.35 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.12 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/89dec92041717b027216e110599e4f6d6c921b79 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/8c8e620467a7b51562dbcefbd1f09f288d7d710d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/e1c100e2d61bd8c718b7d91fe3e050780a9bf72d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/7555fd885a0603f50e49a655850a1f2bd8a25398 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/859d3ace791ed878ae9ba5522c7844d960da8f88 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/3634cbdc2eb414b69ffa752ddbe5e0458518e321 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/50dfec218808b148ab4247b1858031b7a32015c5 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/deb8493a8fa599f6c95e2465b12bfdfb7f94a1d9 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report