[BUG?] bluetooth LE ISO sockets never get freed because of SOCK_DEAD confusion?

Next message: Caleb James DeLisle: "[PATCH v3 0/2] irqchip/econet-en751221: Support MIPS 34Kc VEIC mode"
Previous message: Daniel Palmer: "[PATCH v3 2/2] selftests/nolibc: Add a very basic test for fallocate()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jann Horn

Date: Thu Apr 30 2026 - 12:48:03 EST

I can't figure out how to release a bluetooth LE ISO socket such that
it gets freed.

ISO sockets are placed on the iso_sk_list, which holds references to
its entries. The only place in which an ISO socket can be removed from
this list is iso_sock_kill(), which calls bt_sock_unlink(&iso_sk_list,
sk).

But iso_sock_kill() bails out immediately if either sk->sk_socket is
still set, or SOCK_DEAD is set. This means that if anything other than
iso_sock_kill() sets SOCK_DEAD, the socket can never be freed.

When I call close() on an ISO socket returned by accept(), the
behavior I observe is:

sock_close
__sock_release
iso_sock_release
iso_sock_close
iso_sock_kill
[bails out because sk->sk_socket is still non-NULL]
sock_orphan
sk_set_flag(sk, SOCK_DEAD)
sk_set_socket(sk, NULL)
iso_sock_kill
[bails out because SOCK_DEAD is now set]

Am I missing something, or can ISO sockets (once they have been
accepted) never be freed?