* [PATCH 1/2] Bluetooth: ISO: fix UAF in iso_recv_frame
@ 2026-05-27 4:59 Muhammad Bilal
2026-05-27 4:59 ` [PATCH 2/2] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock Muhammad Bilal
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Muhammad Bilal @ 2026-05-27 4:59 UTC (permalink / raw)
To: linux-bluetooth; +Cc: stable, marcel, luiz.dentz, Muhammad Bilal
iso_recv_frame reads conn->sk under iso_conn_lock but releases the lock
before using sk, with no reference held. A concurrent iso_sock_kill()
can free sk in that window, causing use-after-free on sk->sk_state and
sock_queue_rcv_skb().
Fix by replacing the bare pointer read with iso_sock_hold(conn), which
calls sock_hold() while the spinlock is held, atomically elevating the
refcount before the lock drops. Add a drop_put label so sock_put() is
called on all exit paths where the hold succeeded.
Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
---
net/bluetooth/iso.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index d7af617cda45..f03b7fa5dccc 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -564,7 +564,7 @@ static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb)
struct sock *sk;
iso_conn_lock(conn);
- sk = conn->sk;
+ sk = iso_sock_hold(conn);
iso_conn_unlock(conn);
if (!sk)
@@ -573,11 +573,15 @@ static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb)
BT_DBG("sk %p len %d", sk, skb->len);
if (sk->sk_state != BT_CONNECTED)
- goto drop;
+ goto drop_put;
- if (!sock_queue_rcv_skb(sk, skb))
+ if (!sock_queue_rcv_skb(sk, skb)) {
+ sock_put(sk);
return;
+ }
+drop_put:
+ sock_put(sk);
drop:
kfree_skb(skb);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH 2/2] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
2026-05-27 4:59 [PATCH 1/2] Bluetooth: ISO: fix UAF in iso_recv_frame Muhammad Bilal
@ 2026-05-27 4:59 ` Muhammad Bilal
2026-05-27 6:41 ` [1/2] Bluetooth: ISO: fix UAF in iso_recv_frame bluez.test.bot
2026-05-27 20:50 ` [PATCH 1/2] " patchwork-bot+bluetooth
2 siblings, 0 replies; 4+ messages in thread
From: Muhammad Bilal @ 2026-05-27 4:59 UTC (permalink / raw)
To: linux-bluetooth; +Cc: stable, marcel, luiz.dentz, Muhammad Bilal
iso_sock_close() calls iso_sock_clear_timer() before acquiring
lock_sock(sk).
iso_sock_clear_timer() reads iso_pi(sk)->conn twice without the
socket lock held:
if (!iso_pi(sk)->conn)
return;
cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
Concurrently, iso_conn_del() executes under lock_sock(sk) and calls
iso_chan_del(), which sets iso_pi(sk)->conn to NULL and may result in
the final reference to the connection being dropped:
CPU0 CPU1
---- ----
iso_sock_clear_timer()
if (conn != NULL) ... lock_sock(sk)
iso_chan_del()
iso_pi(sk)->conn = NULL
cancel_delayed_work(conn) /* NULL deref or UAF */
iso_pi(sk)->conn is not stable across the unlock window, causing a
NULL pointer dereference or use-after-free.
Serialize iso_sock_clear_timer() with the socket lock by moving it
inside lock_sock()/release_sock(), matching the pattern used in
iso_conn_del() and all other call sites.
Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
---
net/bluetooth/iso.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index f03b7fa5dccc..876649556d3c 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -864,8 +864,8 @@ static void __iso_sock_close(struct sock *sk)
/* Must be called on unlocked socket. */
static void iso_sock_close(struct sock *sk)
{
- iso_sock_clear_timer(sk);
lock_sock(sk);
+ iso_sock_clear_timer(sk);
__iso_sock_close(sk);
release_sock(sk);
iso_sock_kill(sk);
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* RE: [1/2] Bluetooth: ISO: fix UAF in iso_recv_frame
2026-05-27 4:59 [PATCH 1/2] Bluetooth: ISO: fix UAF in iso_recv_frame Muhammad Bilal
2026-05-27 4:59 ` [PATCH 2/2] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock Muhammad Bilal
@ 2026-05-27 6:41 ` bluez.test.bot
2026-05-27 20:50 ` [PATCH 1/2] " patchwork-bot+bluetooth
2 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2026-05-27 6:41 UTC (permalink / raw)
To: linux-bluetooth, meatuni001
[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1101377
---Test result---
Test Summary:
CheckPatch PASS 1.58 seconds
VerifyFixes PASS 0.13 seconds
VerifySignedoff PASS 0.13 seconds
GitLint PASS 1.16 seconds
SubjectPrefix PASS 0.25 seconds
BuildKernel PASS 25.09 seconds
CheckAllWarning PASS 27.91 seconds
CheckSparse PASS 26.59 seconds
BuildKernel32 PASS 24.64 seconds
TestRunnerSetup PASS 527.80 seconds
TestRunner_iso-tester PASS 81.16 seconds
IncrementalBuild PASS 26.12 seconds
https://github.com/bluez/bluetooth-next/pull/248
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] Bluetooth: ISO: fix UAF in iso_recv_frame
2026-05-27 4:59 [PATCH 1/2] Bluetooth: ISO: fix UAF in iso_recv_frame Muhammad Bilal
2026-05-27 4:59 ` [PATCH 2/2] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock Muhammad Bilal
2026-05-27 6:41 ` [1/2] Bluetooth: ISO: fix UAF in iso_recv_frame bluez.test.bot
@ 2026-05-27 20:50 ` patchwork-bot+bluetooth
2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+bluetooth @ 2026-05-27 20:50 UTC (permalink / raw)
To: Muhammad Bilal; +Cc: linux-bluetooth, stable, marcel, luiz.dentz
Hello:
This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Wed, 27 May 2026 04:59:17 +0000 you wrote:
> iso_recv_frame reads conn->sk under iso_conn_lock but releases the lock
> before using sk, with no reference held. A concurrent iso_sock_kill()
> can free sk in that window, causing use-after-free on sk->sk_state and
> sock_queue_rcv_skb().
>
> Fix by replacing the bare pointer read with iso_sock_hold(conn), which
> calls sock_hold() while the spinlock is held, atomically elevating the
> refcount before the lock drops. Add a drop_put label so sock_put() is
> called on all exit paths where the hold succeeded.
>
> [...]
Here is the summary with links:
- [1/2] Bluetooth: ISO: fix UAF in iso_recv_frame
https://git.kernel.org/bluetooth/bluetooth-next/c/7e3545cc3d1a
- [2/2] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
https://git.kernel.org/bluetooth/bluetooth-next/c/7978ae58aafb
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-05-27 20:50 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-27 4:59 [PATCH 1/2] Bluetooth: ISO: fix UAF in iso_recv_frame Muhammad Bilal
2026-05-27 4:59 ` [PATCH 2/2] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock Muhammad Bilal
2026-05-27 6:41 ` [1/2] Bluetooth: ISO: fix UAF in iso_recv_frame bluez.test.bot
2026-05-27 20:50 ` [PATCH 1/2] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox