has solved the UAF. The introduction of kref object ensures the dangling sco_conn object being freed in the function sco_conn_del when asynchronous hci event thread is invoked, which stops the subsequent exploit chain. I'm not sure if this commit is related to the email I sent, because i sent the first email to security () kernel org on November 14th, and the commit was on November 15th.