[PATCH] fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock

Linux bluetooth development
 help / color / mirror / Atom feed

* [PATCH] fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold   failure path
@ 2026-06-26 11:53 WenTao Liang
  2026-06-26 13:12 ` Paul Menzel
  2026-06-26 13:40 ` bluez.test.bot
  0 siblings, 2 replies; 3+ messages in thread
From: WenTao Liang @ 2026-06-26 11:53 UTC (permalink / raw)
  To: marcel, luiz.dentz; +Cc: linux-bluetooth, linux-kernel, WenTao Liang, stable

In iso_conn_del(), iso_conn_hold_unless_zero() acquires a temporary
  reference which is correctly balanced by iso_conn_put() at line 279. When
  iso_sock_hold() returns NULL (sk == NULL), an additional
  iso_conn_put(conn) is called, dropping hcon's reference to conn too
  early. The caller (e.g., hci_conn_del) will later also iso_conn_put(),
  causing a double-free or use-after-free.

Remove the extra iso_conn_put(conn) on the sk == NULL path.

Cc: stable@vger.kernel.org
Fixes: dc26097bdb86 ("Bluetooth: ISO: Use kref to track lifetime of iso_conn")
Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
---
 net/bluetooth/iso.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 3abd8111dda8..99755671e469 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -278,10 +278,8 @@ static void iso_conn_del(struct hci_conn *hcon, int err)
 	iso_conn_unlock(conn);
 	iso_conn_put(conn);
 
-	if (!sk) {
-		iso_conn_put(conn);
+	if (!sk)
 		return;
-	}
 
 	lock_sock(sk);
 	iso_sock_clear_timer(sk);
-- 
2.39.5 (Apple Git-154)


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path
  2026-06-26 11:53 [PATCH] fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path WenTao Liang
@ 2026-06-26 13:12 ` Paul Menzel
  2026-06-26 13:40 ` bluez.test.bot
  1 sibling, 0 replies; 3+ messages in thread
From: Paul Menzel @ 2026-06-26 13:12 UTC (permalink / raw)
  To: WenTao Liang; +Cc: marcel, luiz.dentz, linux-bluetooth, linux-kernel, stable

Dear Wen Tao,


Thank you for your patch. Some formalities:

The prefixes are well defined, and `fix:` will make the CI fail. Also, 
it’d be great if you removed the tripple space in the summary/title, and 
made it a statement by adding a verb in imperative mood. Maybe:

Bluetooth: Fix extra iso_conn_put on iso_sock_hold failure path

Am 26.06.26 um 13:53 schrieb WenTao Liang:
> In iso_conn_del(), iso_conn_hold_unless_zero() acquires a temporary
>    reference which is correctly balanced by iso_conn_put() at line 279. When
>    iso_sock_hold() returns NULL (sk == NULL), an additional
>    iso_conn_put(conn) is called, dropping hcon's reference to conn too
>    early. The caller (e.g., hci_conn_del) will later also iso_conn_put(),
>    causing a double-free or use-after-free.

It’s uncommon to indent any lines of a paragraph. I recommend to remove 
it, and then each line also fits in 75 characters.

> Remove the extra iso_conn_put(conn) on the sk == NULL path.

Out of curiosity: Do you have a reproducer?

> Cc: stable@vger.kernel.org
> Fixes: dc26097bdb86 ("Bluetooth: ISO: Use kref to track lifetime of iso_conn")
> Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
> ---
>   net/bluetooth/iso.c | 4 +---
>   1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
> index 3abd8111dda8..99755671e469 100644
> --- a/net/bluetooth/iso.c
> +++ b/net/bluetooth/iso.c
> @@ -278,10 +278,8 @@ static void iso_conn_del(struct hci_conn *hcon, int err)
>   	iso_conn_unlock(conn);
>   	iso_conn_put(conn);
>   
> -	if (!sk) {
> -		iso_conn_put(conn);
> +	if (!sk)
>   		return;
> -	}
>   
>   	lock_sock(sk);
>   	iso_sock_clear_timer(sk);

gemini/gemini-3.1-pro-preview has two comments [1].


Kind regards,

Paul


[1]: 
https://sashiko.dev/#/patchset/20260626115312.33528-1-vulab%40iscas.ac.cn

^ permalink raw reply	[flat|nested] 3+ messages in thread

* RE: fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path
  2026-06-26 11:53 [PATCH] fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path WenTao Liang
  2026-06-26 13:12 ` Paul Menzel
@ 2026-06-26 13:40 ` bluez.test.bot
  1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-06-26 13:40 UTC (permalink / raw)
  To: linux-bluetooth, vulab

[-- Attachment #1: Type: text/plain, Size: 1689 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1117045

---Test result---

Test Summary:
CheckPatch                    PASS      1.25 seconds
VerifyFixes                   PASS      0.37 seconds
VerifySignedoff               PASS      0.26 seconds
GitLint                       FAIL      0.59 seconds
SubjectPrefix                 FAIL      0.13 seconds
BuildKernel                   PASS      27.90 seconds
CheckAllWarning               PASS      30.35 seconds
CheckSparse                   PASS      29.40 seconds
BuildKernel32                 PASS      26.94 seconds
CheckKernelLLVM               SKIP      0.00 seconds
TestRunnerSetup               PASS      502.60 seconds
TestRunner_iso-tester         PASS      82.03 seconds
IncrementalBuild              PASS      25.51 seconds

Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path

1: T1 Title exceeds max length (82>80): "fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path"
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject
##############################
Test: CheckKernelLLVM - SKIP
Desc: Build kernel with LLVM + context analysis
Output:
Clang not found


https://github.com/bluez/bluetooth-next/pull/357

---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-26 13:40 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-26 11:53 [PATCH] fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path WenTao Liang
2026-06-26 13:12 ` Paul Menzel
2026-06-26 13:40 ` bluez.test.bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox