diff options
| author |   Muhammad Bilal <meatuni001@gmail.com> | 2026-05-27 04:59:17 +0000 |
|---|---|---|
| committer |   Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2026-05-28 08:52:21 -0400 |
| commit | 47f23a259517abbdb8032c057a1e8a6bf3734878 (patch) | |
| tree | fb80ad20f4ea11865777bd03fc7b36f7c17f4120 /tools/perf/arch/ssh:/git@git.zx2c4.com/git: | |
| parent | Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp (diff) | |
Bluetooth: ISO: fix UAF in iso_recv_frame
iso_recv_frame reads conn->sk under iso_conn_lock but releases the lock
before using sk, with no reference held. A concurrent iso_sock_kill()
can free sk in that window, causing use-after-free on sk->sk_state and
sock_queue_rcv_skb().
Fix by replacing the bare pointer read with iso_sock_hold(conn), which
calls sock_hold() while the spinlock is held, atomically elevating the
refcount before the lock drops. Add a drop_put label so sock_put() is
called on all exit paths where the hold succeeded.
Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Diffstat (limited to 'tools/perf/arch/ssh:/git@git.zx2c4.com/git:')
0 files changed, 0 insertions, 0 deletions