* [PATCH v2] Bluetooth: iso: Fix UAF on iso_sock_disconn
@ 2025-11-06 2:40 Yang Li via B4 Relay
2025-11-06 3:15 ` [v2] " bluez.test.bot
2025-11-06 8:20 ` [PATCH v2] " Paul Menzel
0 siblings, 2 replies; 3+ messages in thread
From: Yang Li via B4 Relay @ 2025-11-06 2:40 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz
Cc: linux-bluetooth, linux-kernel, Yang Li
From: Yang Li <yang.li@amlogic.com>
When the phone stops audio sharing, it terminates the BIG first
and then sends BASS modify and remove operation codes to clear
the shared BIG. If a BIG sync lost event occurs at the same time,
the BIG connection may already be deleted. Releasing the socket
in this case can lead to a NULL connection pointer.
kernel panic: Unable to handle kernel read from unreadable
memory at virtual address 00000000000003d8
Call trace:
iso_sock_disconn+0x110/0x1c8
__iso_sock_close+0x50/0x164
iso_sock_release+0x48/0xf0
__sock_release+0x40/0xb4
sock_close+0x18/0x28
__fput+0xd8/0x28c
__fput_sync+0x50/0x5c
__arm64_sys_close+0x38/0x7c
invoke_syscall+0x48/0x118
el0_svc_common.constprop.0+0x40/0xe0
do_el0_svc_compat+0x1c/0x34
el0_svc_compat+0x30/0x88
el0t_32_sync_handler+0x90/0x140
el0t_32_sync+0x198/0x19c
Signed-off-by: Yang Li <yang.li@amlogic.com>
---
Changes in v2:
- Add description about this problem
- Link to v1: https://lore.kernel.org/r/20251105-kernel_panic-v1-1-88637054c6b9@amlogic.com
---
net/bluetooth/iso.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 74ec7d125c88..89c7700ceb81 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -838,14 +838,14 @@ static void __iso_sock_close(struct sock *sk)
case BT_CONNECT:
case BT_CONNECTED:
case BT_CONFIG:
- if (iso_pi(sk)->conn->hcon)
+ if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon)
iso_sock_disconn(sk);
else
iso_chan_del(sk, ECONNRESET);
break;
case BT_CONNECT2:
- if (iso_pi(sk)->conn->hcon &&
+ if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon &&
(test_bit(HCI_CONN_PA_SYNC, &iso_pi(sk)->conn->hcon->flags) ||
test_bit(HCI_CONN_PA_SYNC_FAILED, &iso_pi(sk)->conn->hcon->flags)))
iso_sock_disconn(sk);
---
base-commit: 2747d929617743ecba08eeeb310283b4be681383
change-id: 20251105-kernel_panic-73adc703480d
Best regards,
--
Yang Li <yang.li@amlogic.com>
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: [v2] Bluetooth: iso: Fix UAF on iso_sock_disconn
2025-11-06 2:40 [PATCH v2] Bluetooth: iso: Fix UAF on iso_sock_disconn Yang Li via B4 Relay
@ 2025-11-06 3:15 ` bluez.test.bot
2025-11-06 8:20 ` [PATCH v2] " Paul Menzel
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2025-11-06 3:15 UTC (permalink / raw)
To: linux-bluetooth, yang.li
[-- Attachment #1: Type: text/plain, Size: 2456 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1020214
---Test result---
Test Summary:
CheckPatch PENDING 0.47 seconds
GitLint PENDING 0.30 seconds
SubjectPrefix PASS 2.72 seconds
BuildKernel PASS 22.82 seconds
CheckAllWarning PASS 25.13 seconds
CheckSparse PASS 27.98 seconds
BuildKernel32 PASS 22.69 seconds
TestRunnerSetup PASS 452.35 seconds
TestRunner_l2cap-tester PASS 23.18 seconds
TestRunner_iso-tester PASS 61.75 seconds
TestRunner_bnep-tester PASS 5.97 seconds
TestRunner_mgmt-tester FAIL 117.46 seconds
TestRunner_rfcomm-tester PASS 9.18 seconds
TestRunner_sco-tester PASS 14.02 seconds
TestRunner_ioctl-tester PASS 9.63 seconds
TestRunner_mesh-tester FAIL 11.45 seconds
TestRunner_smp-tester PASS 8.30 seconds
TestRunner_userchan-tester PASS 6.34 seconds
IncrementalBuild PENDING 1.11 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 490, Passed: 483 (98.6%), Failed: 3, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.098 seconds
LL Privacy - Set Flags 3 (2 Devices to RL) Failed 0.164 seconds
LL Privacy - Start Discovery 1 (Disable RL) Failed 0.164 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.177 seconds
Mesh - Send cancel - 2 Timed out 1.993 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] Bluetooth: iso: Fix UAF on iso_sock_disconn
2025-11-06 2:40 [PATCH v2] Bluetooth: iso: Fix UAF on iso_sock_disconn Yang Li via B4 Relay
2025-11-06 3:15 ` [v2] " bluez.test.bot
@ 2025-11-06 8:20 ` Paul Menzel
1 sibling, 0 replies; 3+ messages in thread
From: Paul Menzel @ 2025-11-06 8:20 UTC (permalink / raw)
To: Yang Li
Cc: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz,
linux-bluetooth, linux-kernel
Dear Yang,
Thank you for the patch.
Am 06.11.25 um 03:40 schrieb Yang Li via B4 Relay:
> From: Yang Li <yang.li@amlogic.com>
>
> When the phone stops audio sharing, it terminates the BIG first
> and then sends BASS modify and remove operation codes to clear
> the shared BIG. If a BIG sync lost event occurs at the same time,
> the BIG connection may already be deleted. Releasing the socket
> in this case can lead to a NULL connection pointer.
>
> kernel panic: Unable to handle kernel read from unreadable
> memory at virtual address 00000000000003d8
> Call trace:
> iso_sock_disconn+0x110/0x1c8
> __iso_sock_close+0x50/0x164
> iso_sock_release+0x48/0xf0
> __sock_release+0x40/0xb4
> sock_close+0x18/0x28
> __fput+0xd8/0x28c
> __fput_sync+0x50/0x5c
> __arm64_sys_close+0x38/0x7c
> invoke_syscall+0x48/0x118
> el0_svc_common.constprop.0+0x40/0xe0
> do_el0_svc_compat+0x1c/0x34
> el0_svc_compat+0x30/0x88
> el0t_32_sync_handler+0x90/0x140
> el0t_32_sync+0x198/0x19c
>
> Signed-off-by: Yang Li <yang.li@amlogic.com>
> ---
> Changes in v2:
> - Add description about this problem
> - Link to v1: https://lore.kernel.org/r/20251105-kernel_panic-v1-1-88637054c6b9@amlogic.com
> ---
> net/bluetooth/iso.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
> index 74ec7d125c88..89c7700ceb81 100644
> --- a/net/bluetooth/iso.c
> +++ b/net/bluetooth/iso.c
> @@ -838,14 +838,14 @@ static void __iso_sock_close(struct sock *sk)
> case BT_CONNECT:
> case BT_CONNECTED:
> case BT_CONFIG:
> - if (iso_pi(sk)->conn->hcon)
> + if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon)
> iso_sock_disconn(sk);
> else
> iso_chan_del(sk, ECONNRESET);
> break;
>
> case BT_CONNECT2:
> - if (iso_pi(sk)->conn->hcon &&
> + if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon &&
> (test_bit(HCI_CONN_PA_SYNC, &iso_pi(sk)->conn->hcon->flags) ||
> test_bit(HCI_CONN_PA_SYNC_FAILED, &iso_pi(sk)->conn->hcon->flags)))
> iso_sock_disconn(sk);
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Kind regards,
Paul
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-11-06 8:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-06 2:40 [PATCH v2] Bluetooth: iso: Fix UAF on iso_sock_disconn Yang Li via B4 Relay
2025-11-06 3:15 ` [v2] " bluez.test.bot
2025-11-06 8:20 ` [PATCH v2] " Paul Menzel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox