Bluetooth: ISO: Fix possible UAF on iso_conn_free

[ Upstream commit 9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8 ] This attempt to fix similar issue to sco_conn_free where if the conn->sk is not set to NULL may lead to UAF on iso_conn_free. Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-09-22 16:27:51 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-10-15 12:04:10 +0200
commit: c92ad1a155ccfa38b87bd1d998287e1c0a24248d (patch)
tree: 3abe636f90a8635dd118919eacdaaadf754c6d3c /net
parent: 33f94b750dc6c1e6f3e1fa70e064bb3ceeaa9f2d (diff)
download: linux-c92ad1a155ccfa38b87bd1d998287e1c0a24248d.tar.gz
linux-c92ad1a155ccfa38b87bd1d998287e1c0a24248d.tar.bz2
linux-c92ad1a155ccfa38b87bd1d998287e1c0a24248d.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 5ce823ca3aaf..c047a15e3fa3 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -750,6 +750,13 @@ static void iso_sock_kill(struct sock *sk)
 
 	BT_DBG("sk %p state %d", sk, sk->sk_state);
 
+	/* Sock is dead, so set conn->sk to NULL to avoid possible UAF */
+	if (iso_pi(sk)->conn) {
+		iso_conn_lock(iso_pi(sk)->conn);
+		iso_pi(sk)->conn->sk = NULL;
+		iso_conn_unlock(iso_pi(sk)->conn);
+	}
+
 	/* Kill poor orphan */
 	bt_sock_unlink(&iso_sk_list, sk);
 	sock_set_flag(sk, SOCK_DEAD);
author	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2025-09-22 16:27:51 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-10-15 12:04:10 +0200
commit	c92ad1a155ccfa38b87bd1d998287e1c0a24248d (patch)
tree	3abe636f90a8635dd118919eacdaaadf754c6d3c /net
parent	33f94b750dc6c1e6f3e1fa70e064bb3ceeaa9f2d (diff)
download	linux-c92ad1a155ccfa38b87bd1d998287e1c0a24248d.tar.gz linux-c92ad1a155ccfa38b87bd1d998287e1c0a24248d.tar.bz2 linux-c92ad1a155ccfa38b87bd1d998287e1c0a24248d.zip