* [PATCH v2 2/2] Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer
2026-06-01 20:41 [PATCH v2 1/2] Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync Luiz Augusto von Dentz
@ 2026-06-01 20:41 ` Luiz Augusto von Dentz
2026-06-01 23:47 ` [v2,1/2] Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync bluez.test.bot
2026-06-02 17:20 ` [PATCH v2 1/2] " patchwork-bot+bluetooth
2 siblings, 0 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2026-06-01 20:41 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
In iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is
dropped:
bis = iso_pi(sk)->conn->hcon;
/* Release the socket before lookups since that requires hci_dev_lock
* which shall not be acquired while holding sock_lock for proper
* ordering.
*/
release_sock(sk);
hci_dev_lock(bis->hdev);
During the unlocked window, could a concurrent close() destroy the connection
and free the bis structure, causing hci_dev_lock(bis->hdev) to access memory
after it is freed, fix this by using the hdev reference which was safely
acquired via iso_conn_get_hdev().
Fixes: d3413703d5f8 ("Bluetooth: ISO: Add support to bind to trigger PAST")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/iso.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index a93269eb53b7..8c52800bb93a 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -1083,7 +1083,7 @@ static int iso_sock_rebind_bc(struct sock *sk, struct sockaddr_iso *sa,
* ordering.
*/
release_sock(sk);
- hci_dev_lock(bis->hdev);
+ hci_dev_lock(hdev);
lock_sock(sk);
if (!iso_pi(sk)->conn || iso_pi(sk)->conn->hcon != bis) {
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* RE: [v2,1/2] Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync
2026-06-01 20:41 [PATCH v2 1/2] Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync Luiz Augusto von Dentz
2026-06-01 20:41 ` [PATCH v2 2/2] Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer Luiz Augusto von Dentz
@ 2026-06-01 23:47 ` bluez.test.bot
2026-06-02 17:20 ` [PATCH v2 1/2] " patchwork-bot+bluetooth
2 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2026-06-01 23:47 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 3508 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1104231
---Test result---
Test Summary:
CheckPatch FAIL 1.31 seconds
VerifyFixes PASS 0.12 seconds
VerifySignedoff PASS 0.12 seconds
GitLint FAIL 0.59 seconds
SubjectPrefix PASS 0.22 seconds
BuildKernel PASS 24.89 seconds
CheckAllWarning PASS 27.42 seconds
CheckSparse PASS 26.41 seconds
BuildKernel32 PASS 24.37 seconds
TestRunnerSetup PASS 520.37 seconds
TestRunner_iso-tester PASS 78.40 seconds
IncrementalBuild PASS 26.38 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[v2,1/2] Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#103:
Reported-by: Sashiko <sashiko-bot@kernel.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
total: 0 errors, 1 warnings, 0 checks, 7 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14605715.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
[v2,2/2] Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#112:
During the unlocked window, could a concurrent close() destroy the connection
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#118:
Reported-by: Sashiko <sashiko-bot@kernel.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
total: 0 errors, 2 warnings, 0 checks, 8 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14605716.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[v2,2/2] Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer
7: B3 Line contains hard tab characters (\t): " bis = iso_pi(sk)->conn->hcon;"
8: B3 Line contains hard tab characters (\t): " /* Release the socket before lookups since that requires hci_dev_lock"
9: B3 Line contains hard tab characters (\t): " * which shall not be acquired while holding sock_lock for proper"
10: B3 Line contains hard tab characters (\t): " * ordering."
11: B3 Line contains hard tab characters (\t): " */"
12: B3 Line contains hard tab characters (\t): " release_sock(sk);"
13: B3 Line contains hard tab characters (\t): " hci_dev_lock(bis->hdev);"
https://github.com/bluez/bluetooth-next/pull/271
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread