CVE-2026-23461

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix use-after-free in l2cap unregister user

After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci chan del"), l2cap conn del() uses conn->lock to protect access to conn->users. However, l2cap register user() and l2cap unregister user() don't use conn->lock, creating a race condition where these functions can access conn->users and conn->hchan concurrently with l2cap conn del().

This can lead to use-after-free and list corruption bugs, as reported by syzbot.

Fix this by changing l2cap register user() and l2cap unregister user() to use conn->lock instead of hci dev lock(), ensuring consistent locking for the l2cap conn structure.