Bluetooth: ISO: fix UAF in iso_recv_frame

iso_recv_frame reads conn->sk under iso_conn_lock but releases the lock
before using sk, with no reference held. A concurrent iso_sock_kill()
can free sk in that window, causing use-after-free on sk->sk_state and
sock_queue_rcv_skb().

Fix by replacing the bare pointer read with iso_sock_hold(conn), which
calls sock_hold() while the spinlock is held, atomically elevating the
refcount before the lock drops. Add a drop_put label so sock_put() is
called on all exit paths where the hold succeeded.

Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index d7af617cda45e4581e11de60ba398712692e8316..f03b7fa5dccc96ca194e7c9ece17341f3ea83529 100644 (file)
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -564,7 +564,7 @@ static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb)
        struct sock *sk;
 
        iso_conn_lock(conn);
-       sk = conn->sk;
+       sk = iso_sock_hold(conn);
        iso_conn_unlock(conn);
 
        if (!sk)
@@ -573,11 +573,15 @@ static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb)
        BT_DBG("sk %p len %d", sk, skb->len);
 
        if (sk->sk_state != BT_CONNECTED)
-               goto drop;
+               goto drop_put;
 
-       if (!sock_queue_rcv_skb(sk, skb))
+       if (!sock_queue_rcv_skb(sk, skb)) {
+               sock_put(sk);
                return;
+       }
 
+drop_put:
+       sock_put(sk);
 drop:
        kfree_skb(skb);
 }