From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Mon, 22 Sep 2025 20:27:51 +0000 (-0400)
Subject: Bluetooth: ISO: Fix possible UAF on iso_conn_free
X-Git-Tag: v6.12.53~60
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=80689777919f02328eb873769de4647c9dd3e371;p=thirdparty%2Fkernel%2Fstable.git

Bluetooth: ISO: Fix possible UAF on iso_conn_free

[ Upstream commit 9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8 ]

This attempt to fix similar issue to sco_conn_free where if the
conn->sk is not set to NULL may lead to UAF on iso_conn_free.

Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index a08a0f3d5003c..df21c79800fb6 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -743,6 +743,13 @@ static void iso_sock_kill(struct sock *sk)
 
 	BT_DBG("sk %p state %d", sk, sk->sk_state);
 
+	/* Sock is dead, so set conn->sk to NULL to avoid possible UAF */
+	if (iso_pi(sk)->conn) {
+		iso_conn_lock(iso_pi(sk)->conn);
+		iso_pi(sk)->conn->sk = NULL;
+		iso_conn_unlock(iso_pi(sk)->conn);
+	}
+
 	/* Kill poor orphan */
 	bt_sock_unlink(&iso_sk_list, sk);
 	sock_set_flag(sk, SOCK_DEAD);