* [PATCH] fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path
@ 2026-06-26 11:53 WenTao Liang
2026-06-26 13:12 ` Paul Menzel
2026-06-26 13:40 ` bluez.test.bot
0 siblings, 2 replies; 3+ messages in thread
From: WenTao Liang @ 2026-06-26 11:53 UTC (permalink / raw)
To: marcel, luiz.dentz; +Cc: linux-bluetooth, linux-kernel, WenTao Liang, stable
In iso_conn_del(), iso_conn_hold_unless_zero() acquires a temporary
reference which is correctly balanced by iso_conn_put() at line 279. When
iso_sock_hold() returns NULL (sk == NULL), an additional
iso_conn_put(conn) is called, dropping hcon's reference to conn too
early. The caller (e.g., hci_conn_del) will later also iso_conn_put(),
causing a double-free or use-after-free.
Remove the extra iso_conn_put(conn) on the sk == NULL path.
Cc: stable@vger.kernel.org
Fixes: dc26097bdb86 ("Bluetooth: ISO: Use kref to track lifetime of iso_conn")
Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
---
net/bluetooth/iso.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 3abd8111dda8..99755671e469 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -278,10 +278,8 @@ static void iso_conn_del(struct hci_conn *hcon, int err)
iso_conn_unlock(conn);
iso_conn_put(conn);
- if (!sk) {
- iso_conn_put(conn);
+ if (!sk)
return;
- }
lock_sock(sk);
iso_sock_clear_timer(sk);
--
2.39.5 (Apple Git-154)
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path
2026-06-26 11:53 [PATCH] fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path WenTao Liang
@ 2026-06-26 13:12 ` Paul Menzel
2026-06-26 13:40 ` bluez.test.bot
1 sibling, 0 replies; 3+ messages in thread
From: Paul Menzel @ 2026-06-26 13:12 UTC (permalink / raw)
To: WenTao Liang; +Cc: marcel, luiz.dentz, linux-bluetooth, linux-kernel, stable
Dear Wen Tao,
Thank you for your patch. Some formalities:
The prefixes are well defined, and `fix:` will make the CI fail. Also,
it’d be great if you removed the tripple space in the summary/title, and
made it a statement by adding a verb in imperative mood. Maybe:
Bluetooth: Fix extra iso_conn_put on iso_sock_hold failure path
Am 26.06.26 um 13:53 schrieb WenTao Liang:
> In iso_conn_del(), iso_conn_hold_unless_zero() acquires a temporary
> reference which is correctly balanced by iso_conn_put() at line 279. When
> iso_sock_hold() returns NULL (sk == NULL), an additional
> iso_conn_put(conn) is called, dropping hcon's reference to conn too
> early. The caller (e.g., hci_conn_del) will later also iso_conn_put(),
> causing a double-free or use-after-free.
It’s uncommon to indent any lines of a paragraph. I recommend to remove
it, and then each line also fits in 75 characters.
> Remove the extra iso_conn_put(conn) on the sk == NULL path.
Out of curiosity: Do you have a reproducer?
> Cc: stable@vger.kernel.org
> Fixes: dc26097bdb86 ("Bluetooth: ISO: Use kref to track lifetime of iso_conn")
> Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
> ---
> net/bluetooth/iso.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
> index 3abd8111dda8..99755671e469 100644
> --- a/net/bluetooth/iso.c
> +++ b/net/bluetooth/iso.c
> @@ -278,10 +278,8 @@ static void iso_conn_del(struct hci_conn *hcon, int err)
> iso_conn_unlock(conn);
> iso_conn_put(conn);
>
> - if (!sk) {
> - iso_conn_put(conn);
> + if (!sk)
> return;
> - }
>
> lock_sock(sk);
> iso_sock_clear_timer(sk);
gemini/gemini-3.1-pro-preview has two comments [1].
Kind regards,
Paul
[1]:
https://sashiko.dev/#/patchset/20260626115312.33528-1-vulab%40iscas.ac.cn
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path
2026-06-26 11:53 [PATCH] fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path WenTao Liang
2026-06-26 13:12 ` Paul Menzel
@ 2026-06-26 13:40 ` bluez.test.bot
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-06-26 13:40 UTC (permalink / raw)
To: linux-bluetooth, vulab
[-- Attachment #1: Type: text/plain, Size: 1689 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1117045
---Test result---
Test Summary:
CheckPatch PASS 1.25 seconds
VerifyFixes PASS 0.37 seconds
VerifySignedoff PASS 0.26 seconds
GitLint FAIL 0.59 seconds
SubjectPrefix FAIL 0.13 seconds
BuildKernel PASS 27.90 seconds
CheckAllWarning PASS 30.35 seconds
CheckSparse PASS 29.40 seconds
BuildKernel32 PASS 26.94 seconds
CheckKernelLLVM SKIP 0.00 seconds
TestRunnerSetup PASS 502.60 seconds
TestRunner_iso-tester PASS 82.03 seconds
IncrementalBuild PASS 25.51 seconds
Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path
1: T1 Title exceeds max length (82>80): "fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path"
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject
##############################
Test: CheckKernelLLVM - SKIP
Desc: Build kernel with LLVM + context analysis
Output:
Clang not found
https://github.com/bluez/bluetooth-next/pull/357
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-26 13:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-26 11:53 [PATCH] fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path WenTao Liang
2026-06-26 13:12 ` Paul Menzel
2026-06-26 13:40 ` bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox