Re: [PATCH] fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path

Next message: WenTao Liang: "Re: [PATCH] fix: drm: drm_syncobj_find_fence: invalid flags check before NULL check leaks syncobj reference"
Previous message: WenTao Liang: "Re: [PATCH] fix: i2c: i2c_mux_add_adapter: fix child device_node reference leak on adapter registration failure"
In reply to: Paul Menzel: "Re: [PATCH] fix: net/bluetooth: iso_conn_del: extra iso_conn_put on iso_sock_hold failure path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: WenTao Liang

Date: Sat Jun 27 2026 - 23:57:49 EST

> 2026年6月26日 19:53，WenTao Liang <vulab@xxxxxxxxxxx> 写道：
>
> In iso_conn_del(), iso_conn_hold_unless_zero() acquires a temporary
> reference which is correctly balanced by iso_conn_put() at line 279. When
> iso_sock_hold() returns NULL (sk == NULL), an additional
> iso_conn_put(conn) is called, dropping hcon's reference to conn too
> early. The caller (e.g., hci_conn_del) will later also iso_conn_put(),
> causing a double-free or use-after-free.
>
> Remove the extra iso_conn_put(conn) on the sk == NULL path.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: dc26097bdb86 ("Bluetooth: ISO: Use kref to track lifetime of iso_conn")
> Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
> ---
> net/bluetooth/iso.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
> index 3abd8111dda8..99755671e469 100644
> --- a/net/bluetooth/iso.c
> +++ b/net/bluetooth/iso.c
> @@ -278,10 +278,8 @@ static void iso_conn_del(struct hci_conn *hcon, int err)
> iso_conn_unlock(conn);
> iso_conn_put(conn);
>
> - if (!sk) {
> - iso_conn_put(conn);
> + if (!sk)
> return;
> - }
>
> lock_sock(sk);
> iso_sock_clear_timer(sk);
> --
> 2.39.5 (Apple Git-154)

Please ignore this patch. I will resend a proper version after
learning the kernel submission process.

Apologies for the noise.

Best regards,
WenTao Liang