Patch kernel: backport Bluetooth L2CAP UAF fix in l2cap_sock_cleanup_listen() (torvalds/linux@ab1513597c6c)

[omkhar]

Backport upstream Bluetooth L2CAP UAF fix from torvalds/linux@ab15135.

Upstream: Author Safa Karakuş; Reported-by/Reviewed-by Siwei Zhang; Signed-off-by chain Safa → Luiz Augusto von Dentz. Cc: stable@vger.kernel.org. Fixes: 15f02b910562.

Backport type: CUSTOM 5.15 backport. Upstream commit touches 5 files including net/bluetooth/iso.c (added v6.0, doesn't exist on 5.15). af_bluetooth.c hunk needed contextual rewrite because 5.15 already absorbed the CVE-2025-39860 base fix (47f6090bcf75) which introduced an early sock_hold(sk). Backport is 4 files +60/-7.

Code-correctness: l2cap_sock_cleanup_listen function grew 332→501 bytes (+51%). l2cap_chan_hold_unless_zero already exported; now called from cleanup_listen per patch design.

LTP regression: Mariner 2.0 LTP-net (net.features/net.ipv6/net.multicast/net.tcp_cmds/net_stress.interface; 118 tests). 0 patch-induced regressions.

Mariner 2.0 caveat: AKS EOL 2025-11-30; PR for non-AKS consumers.

[omkhar]

Closing as duplicate of #17424, which targets 3.0-dev (the correct branch for 3.0 backports per CONTRIBUTING). Same patch, please use #17424.

[omkhar]

Correction on my earlier close-as-duplicate framing: this was actually the Mariner 2.0 version of the same CVE fix (head branch is kernel-2.0), not a duplicate of its sibling 3.0-dev PR. Should have been on microsoft/CBL-Mariner from the start. Keeping closed — the 3.0-dev counterpart is still in flight on this repo, and Mariner-side will be re-filed (if wanted) on the correct repo after the Mariner-2.0 posture question on #17414 is settled.