From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> stable inclusion from stable-v6.6.112 commit 5319145a07d8bf5b0782b25cb3115825689d42bb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID6B6G CVE: CVE-2025-40141 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 9950f095d6c875dbe0c9ebfcf972ec88fdf26fc8 ] This attempt to fix similar issue to sco_conn_free where if the conn->sk is not set to NULL may lead to UAF on iso_conn_free. Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Chen Jinghuang <chenjinghuang2@huawei.com> --- net/bluetooth/iso.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c index b94d202bf374..be71082d9eaf 100644 --- a/net/bluetooth/iso.c +++ b/net/bluetooth/iso.c @@ -718,6 +718,13 @@ static void iso_sock_kill(struct sock *sk) BT_DBG("sk %p state %d", sk, sk->sk_state); + /* Sock is dead, so set conn->sk to NULL to avoid possible UAF */ + if (iso_pi(sk)->conn) { + iso_conn_lock(iso_pi(sk)->conn); + iso_pi(sk)->conn->sk = NULL; + iso_conn_unlock(iso_pi(sk)->conn); + } + /* Kill poor orphan */ bt_sock_unlink(&iso_sk_list, sk); sock_set_flag(sk, SOCK_DEAD); -- 2.34.1