Bluetooth: ISO: Fix possible UAF on iso_conn_free

[ Upstream commit 9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8 ]

This attempt to fix similar issue to sco_conn_free where if the
conn->sk is not set to NULL may lead to UAF on iso_conn_free.

Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index a08a0f3d5003cc264ec31af80206d9b681190684..df21c79800fb671202eb40a0eb1bf7a95497993f 100644 (file)
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -743,6 +743,13 @@ static void iso_sock_kill(struct sock *sk)
 
        BT_DBG("sk %p state %d", sk, sk->sk_state);
 
+       /* Sock is dead, so set conn->sk to NULL to avoid possible UAF */
+       if (iso_pi(sk)->conn) {
+               iso_conn_lock(iso_pi(sk)->conn);
+               iso_pi(sk)->conn->sk = NULL;
+               iso_conn_unlock(iso_pi(sk)->conn);
+       }
+
        /* Kill poor orphan */
        bt_sock_unlink(&iso_sk_list, sk);
        sock_set_flag(sk, SOCK_DEAD);