Re: [PATCH] Bluetooth: iso: Fix UAF on iso_sock_disconn

linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To: Yang Li <yang.li@amlogic.com>
Cc: Paul Menzel <pmenzel@molgen.mpg.de>,
	Marcel Holtmann <marcel@holtmann.org>,
	 Johan Hedberg <johan.hedberg@gmail.com>,
	linux-bluetooth@vger.kernel.org,  linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Bluetooth: iso: Fix UAF on iso_sock_disconn
Date: Fri, 7 Nov 2025 13:52:45 -0500	[thread overview]
Message-ID: <CABBYNZKQPBaxmxzDttOKumMaReycbSAbc-JM2P0mwzy=d-kbkw@mail.gmail.com> (raw)
In-Reply-To: <0aa28372-feea-4252-a498-b3b8be7617f4@amlogic.com>

Hi Yang,

On Wed, Nov 5, 2025 at 9:21 PM Yang Li <yang.li@amlogic.com> wrote:
>
> Hi Paul,
>
>
> > [ EXTERNAL EMAIL ]
> >
> > Dear Yang,
> >
> >
> > Thank you for your patch.
> >
> > Am 05.11.25 um 10:02 schrieb Yang Li via B4 Relay:
> >> From: Yang Li <yang.li@amlogic.com>
> >>
> >> kernel panic: Unable to handle kernel read from unreadable
> >> memory at virtual address 00000000000003d8
> >
> > No line break needed in pasted logs.
> >
> >>
> >> Call trace:
> >>   iso_sock_disconn+0x110/0x1c8
> >>   __iso_sock_close+0x50/0x164
> >>   iso_sock_release+0x48/0xf0
> >>   __sock_release+0x40/0xb4
> >>   sock_close+0x18/0x28
> >>   __fput+0xd8/0x28c
> >>   __fput_sync+0x50/0x5c
> >>   __arm64_sys_close+0x38/0x7c
> >>   invoke_syscall+0x48/0x118
> >>   el0_svc_common.constprop.0+0x40/0xe0
> >>   do_el0_svc_compat+0x1c/0x34
> >>   el0_svc_compat+0x30/0x88
> >>   el0t_32_sync_handler+0x90/0x140
> >>   el0t_32_sync+0x198/0x19c
> >
> > Please add a paragraph about this problem, and how `iso_pi(sk)->conn`
> > can be NULL.
>
>
> I will update it.
>
> Thanks!
>
> >
> >> Signed-off-by: Yang Li <yang.li@amlogic.com>
> >> ---
> >>   net/bluetooth/iso.c | 4 ++--
> >>   1 file changed, 2 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
> >> index 74ec7d125c88..89c7700ceb81 100644
> >> --- a/net/bluetooth/iso.c
> >> +++ b/net/bluetooth/iso.c
> >> @@ -838,14 +838,14 @@ static void __iso_sock_close(struct sock *sk)
> >>       case BT_CONNECT:
> >>       case BT_CONNECTED:
> >>       case BT_CONFIG:
> >> -             if (iso_pi(sk)->conn->hcon)
> >> +             if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon)
> >>                       iso_sock_disconn(sk);
> >>               else
> >>                       iso_chan_del(sk, ECONNRESET);
> >>               break;
> >>
> >>       case BT_CONNECT2:
> >> -             if (iso_pi(sk)->conn->hcon &&
> >> +             if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon &&
> >>                   (test_bit(HCI_CONN_PA_SYNC,
> >> &iso_pi(sk)->conn->hcon->flags) ||
> >>                   test_bit(HCI_CONN_PA_SYNC_FAILED,
> >> &iso_pi(sk)->conn->hcon->flags)))
> >>                       iso_sock_disconn(sk);

Hold on since the bug is actually in the handling of BIG Sync Lost, it
has been assuming that it also means PA Sync is lost as well when that
is inform byt its own event PA Sync Lost:

https://patchwork.kernel.org/project/bluetooth/patch/20251106230943.877242-2-luiz.dentz@gmail.com/

Also note that Ive changed the handling so it no longer calls
hci_conn_del without first calling hci_disconn_cfm, since the latter
actually informs the socket layers about the imminent deletion so the
socket can go ahead and clean up properly.

> > This diff looks fine.
> >
> >
> > Kind regards,
> >
> > Paul



-- 
Luiz Augusto von Dentz

     prev parent reply	other threads:[~2025-11-07 18:53 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-05  9:02 [PATCH] Bluetooth: iso: Fix UAF on iso_sock_disconn Yang Li via B4 Relay
2025-11-05  9:38 ` bluez.test.bot
2025-11-05  9:45 ` [PATCH] " Paul Menzel
2025-11-06  2:21   ` Yang Li
2025-11-07 18:52     ` Luiz Augusto von Dentz [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CABBYNZKQPBaxmxzDttOKumMaReycbSAbc-JM2P0mwzy=d-kbkw@mail.gmail.com' \
    --to=luiz.dentz@gmail.com \
    --cc=johan.hedberg@gmail.com \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marcel@holtmann.org \
    --cc=pmenzel@molgen.mpg.de \
    --cc=yang.li@amlogic.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).