Bluetooth: ISO: Fix possible UAF on iso_conn_free

[ Upstream commit 9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8 ] This attempt to fix similar issue to sco_conn_free where if the conn->sk is not set to NULL may lead to UAF on iso_conn_free. Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2025-09-22 16:27:51 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-10-15 11:58:05 +0200
commit: 5319145a07d8bf5b0782b25cb3115825689d42bb (patch)
tree: f8d87a76a6802e22a76d3fd199cad71b7a4828ed /net
parent: 868196cc8ba80025e6999739188592d3f87c6543 (diff)
download: linux-5319145a07d8bf5b0782b25cb3115825689d42bb.tar.gz
linux-5319145a07d8bf5b0782b25cb3115825689d42bb.tar.bz2
linux-5319145a07d8bf5b0782b25cb3115825689d42bb.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index b94d202bf374..be71082d9eaf 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -718,6 +718,13 @@ static void iso_sock_kill(struct sock *sk)
 
 	BT_DBG("sk %p state %d", sk, sk->sk_state);
 
+	/* Sock is dead, so set conn->sk to NULL to avoid possible UAF */
+	if (iso_pi(sk)->conn) {
+		iso_conn_lock(iso_pi(sk)->conn);
+		iso_pi(sk)->conn->sk = NULL;
+		iso_conn_unlock(iso_pi(sk)->conn);
+	}
+
 	/* Kill poor orphan */
 	bt_sock_unlink(&iso_sk_list, sk);
 	sock_set_flag(sk, SOCK_DEAD);
author	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2025-09-22 16:27:51 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-10-15 11:58:05 +0200
commit	5319145a07d8bf5b0782b25cb3115825689d42bb (patch)
tree	f8d87a76a6802e22a76d3fd199cad71b7a4828ed /net
parent	868196cc8ba80025e6999739188592d3f87c6543 (diff)
download	linux-5319145a07d8bf5b0782b25cb3115825689d42bb.tar.gz linux-5319145a07d8bf5b0782b25cb3115825689d42bb.tar.bz2 linux-5319145a07d8bf5b0782b25cb3115825689d42bb.zip