From: Pauli Virtanen <pav@iki.fi> mainline inclusion from mainline-v6.18-rc1 commit 6ba85da5804efffe15c89b03742ea868f20b4172 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/13304 CVE: CVE-2025-68304 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- If iso_conn is freed when RX is incomplete, free any leftover skb piece. Fixes: dc26097bdb86 ("Bluetooth: ISO: Use kref to track lifetime of iso_conn") Signed-off-by: Pauli Virtanen <pav@iki.fi> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com> --- net/bluetooth/iso.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c index dee167bf7d16c..ddd43649b868c 100644 --- a/net/bluetooth/iso.c +++ b/net/bluetooth/iso.c @@ -108,6 +108,8 @@ static void iso_conn_free(struct kref *ref) /* Ensure no more work items will run since hci_conn has been dropped */ disable_delayed_work_sync(&conn->timeout_work); + kfree_skb(conn->rx_skb); + kfree(conn); } -- 2.43.0