[PATCH] fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path

Next message: Petr Mladek: "[POC] sys_info: Introduce state-tracking APIs to prevent duplicate backtraces"
Previous message: Juergen Gross: "Re: [PATCH v2] xen/gntdev: fix error handling in ioctl"
Next in thread: Paul Menzel: "Re: [PATCH] fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: WenTao Liang

Date: Fri Jun 26 2026 - 07:55:17 EST

In iso_conn_del(), iso_conn_hold_unless_zero() acquires a temporary
reference which is correctly balanced by iso_conn_put() at line 279. When
iso_sock_hold() returns NULL (sk == NULL), an additional
iso_conn_put(conn) is called, dropping hcon's reference to conn too
early. The caller (e.g., hci_conn_del) will later also iso_conn_put(),
causing a double-free or use-after-free.

Remove the extra iso_conn_put(conn) on the sk == NULL path.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: dc26097bdb86 ("Bluetooth: ISO: Use kref to track lifetime of iso_conn")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
net/bluetooth/iso.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 3abd8111dda8..99755671e469 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -278,10 +278,8 @@ static void iso_conn_del(struct hci_conn *hcon, int err)
iso_conn_unlock(conn);
iso_conn_put(conn);

- if (!sk) {
- iso_conn_put(conn);
+ if (!sk)
return;
- }

lock_sock(sk);
iso_sock_clear_timer(sk);
--
2.39.5 (Apple Git-154)