diff options
| -rw-r--r-- | net/bluetooth/iso.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c index 5c68c0ea7d97..d24c7a1ace92 100644 --- a/net/bluetooth/iso.c +++ b/net/bluetooth/iso.c @@ -761,6 +761,13 @@ static void iso_sock_kill(struct sock *sk) BT_DBG("sk %p state %d", sk, sk->sk_state); + /* Sock is dead, so set conn->sk to NULL to avoid possible UAF */ + if (iso_pi(sk)->conn) { + iso_conn_lock(iso_pi(sk)->conn); + iso_pi(sk)->conn->sk = NULL; + iso_conn_unlock(iso_pi(sk)->conn); + } + /* Kill poor orphan */ bt_sock_unlink(&iso_sk_list, sk); sock_set_flag(sk, SOCK_DEAD); |