diff options
| author | Pauli Virtanen <pav@iki.fi> | 2025-09-22 21:11:21 +0300 |
|---|---|---|
| committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2025-09-27 11:37:43 -0400 |
| commit | 6ba85da5804efffe15c89b03742ea868f20b4172 (patch) | |
| tree | e4319d766d08278f5d0a64dfe5fb668f77067b95 /net/bluetooth | |
| parent | Bluetooth: ISO: Fix possible UAF on iso_conn_free (diff) | |
| download | linux-6ba85da5804efffe15c89b03742ea868f20b4172.tar.gz linux-6ba85da5804efffe15c89b03742ea868f20b4172.zip | |
Bluetooth: ISO: free rx_skb if not consumed
If iso_conn is freed when RX is incomplete, free any leftover skb piece.
Fixes: dc26097bdb86 ("Bluetooth: ISO: Use kref to track lifetime of iso_conn")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Diffstat (limited to 'net/bluetooth')
| -rw-r--r-- | net/bluetooth/iso.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c index d24c7a1ace92..ad5c8118a6e3 100644 --- a/net/bluetooth/iso.c +++ b/net/bluetooth/iso.c @@ -111,6 +111,8 @@ static void iso_conn_free(struct kref *ref) /* Ensure no more work items will run since hci_conn has been dropped */ disable_delayed_work_sync(&conn->timeout_work); + kfree_skb(conn->rx_skb); + kfree(conn); } |