diff options
| author | Muhammad Bilal <meatuni001@gmail.com> | 2026-05-27 04:59:17 +0000 |
|---|---|---|
| committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2026-05-27 15:41:56 -0400 |
| commit | 7e3545cc3d1abcc4669145369f0208c9352d80a8 (patch) | |
| tree | 1be8ce0a740f9ad05274c8d48721357bc98e68a9 /net | |
| parent | 1403053c428f6ef054b0bfb0f62d0cb578f93b4d (diff) | |
| download | linux-next-history-7e3545cc3d1abcc4669145369f0208c9352d80a8.tar.gz | |
Bluetooth: ISO: fix UAF in iso_recv_frame
iso_recv_frame reads conn->sk under iso_conn_lock but releases the lock
before using sk, with no reference held. A concurrent iso_sock_kill()
can free sk in that window, causing use-after-free on sk->sk_state and
sock_queue_rcv_skb().
Fix by replacing the bare pointer read with iso_sock_hold(conn), which
calls sock_hold() while the spinlock is held, atomically elevating the
refcount before the lock drops. Add a drop_put label so sock_put() is
called on all exit paths where the hold succeeded.
Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Diffstat (limited to 'net')
| -rw-r--r-- | net/bluetooth/iso.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c index 1c90d0fbcb4ae..10e05350f2414 100644 --- a/net/bluetooth/iso.c +++ b/net/bluetooth/iso.c @@ -565,7 +565,7 @@ static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb) struct sock *sk; iso_conn_lock(conn); - sk = conn->sk; + sk = iso_sock_hold(conn); iso_conn_unlock(conn); if (!sk) @@ -574,11 +574,15 @@ static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb) BT_DBG("sk %p len %d", sk, skb->len); if (sk->sk_state != BT_CONNECTED) - goto drop; + goto drop_put; - if (!sock_queue_rcv_skb(sk, skb)) + if (!sock_queue_rcv_skb(sk, skb)) { + sock_put(sk); return; + } +drop_put: + sock_put(sk); drop: kfree_skb(skb); } |