[PW_SID:1074833] [v3] Bluetooth: ISO: fix NULL deref in iso_recv() ISO_END handling

[BluezTestBot]

The ISO_CONT case in iso_recv() properly checks for unexpected
continuation frames and oversized fragments before accessing
conn->rx_skb. The ISO_END case lacks both checks.

When an ISO_END packet arrives without a preceding ISO_START:

• conn->rx_skb is NULL (never allocated)
• skb_put(conn->rx_skb, ...) dereferences NULL -> kernel crash

When an ISO_END fragment length does not exactly match the
remaining expected length:

• the reassembly is malformed and must be rejected

KASAN confirmed the NULL-deref on kernel 7.0.0-rc5 via VHCI:

general protection fault, probably for non-canonical address 0xdffffc0000000018
KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7]
CPU: 0 UID: 0 PID: 72 Comm: kworker/u9:0 Not tainted 7.0.0-rc5
Workqueue: hci0 hci_rx_work
RIP: 0010:skb_put+0x27/0x1a0
Call Trace:

iso_recv+0x5e0/0xee0
hci_rx_work+0x226/0x730
process_one_work+0x633/0x1060
worker_thread+0x45b/0xd10
kthread+0x2c6/0x3b0
ret_from_fork+0x38d/0x5c0

Kernel panic - not syncing: Fatal exception

Fix by adding validation to the ISO_END case: reject end frames
when no rx_skb reassembly buffer exists, and reject end fragments
whose length does not exactly complete the expected reassembly.

Fixes: ccf74f2 ("Bluetooth: Add ISO Socket")
Cc: stable@vger.kernel.org
Signed-off-by: Nathan Rebello nathan.c.rebello@gmail.com

Changes in v3:

• Check !conn->rx_skb instead of !conn->rx_len to correctly
  handle the case where an ISO_CONT fragment completes rx_len
  but a valid zero-length ISO_END still follows.

Changes in v2:

• Tighten end fragment check from (skb->len > conn->rx_len) to
  (skb->len != conn->rx_len): the end fragment must exactly
  complete the reassembly.

net/bluetooth/iso.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)

[github-actions]

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.50 seconds
Result: PENDING

[github-actions]

GitLint
Desc: Run gitlint
Duration: 0.29 seconds
Result: PENDING

[github-actions]

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.09 seconds
Result: PASS

[github-actions]

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 25.89 seconds
Result: PASS

[github-actions]

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 28.27 seconds
Result: PASS

[github-actions]

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 27.06 seconds
Result: PASS

[github-actions]

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 25.06 seconds
Result: PASS

[github-actions]

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 561.18 seconds
Result: PASS

[github-actions]

TestRunner_l2cap-tester
Desc: Run l2cap-tester with test-runner
Duration: 27.27 seconds
Result: PASS

[github-actions]

TestRunner_iso-tester
Desc: Run iso-tester with test-runner
Duration: 39.10 seconds
Result: PASS

[github-actions]

TestRunner_bnep-tester
Desc: Run bnep-tester with test-runner
Duration: 6.24 seconds
Result: PASS

[github-actions]

TestRunner_mgmt-tester
Desc: Run mgmt-tester with test-runner
Duration: 114.28 seconds
Result: FAIL
Output:

Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.105 seconds

[github-actions]

TestRunner_rfcomm-tester
Desc: Run rfcomm-tester with test-runner
Duration: 9.28 seconds
Result: PASS

[github-actions]

TestRunner_sco-tester
Desc: Run sco-tester with test-runner
Duration: 14.23 seconds
Result: FAIL
Output:

WARNING: possible circular locking dependency detected
7.0.0-rc2-g6320f7500a9b #1 Not tainted
------------------------------------------------------
kworker/u5:2/117 is trying to acquire lock:
ffff888002365240 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x358/0x8d0

but task is already holding lock:
ffff888002141c20 (&conn->lock){+.+.}-{3:3}, at: sco_connect_cfm+0x22d/0x8d0

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&conn->lock){+.+.}-{3:3}:
       lock_acquire+0xf7/0x2c0
       _raw_spin_lock+0x2a/0x40
       sco_sock_connect+0x4d7/0x1280
       __sys_connect+0x1a3/0x260
       __x64_sys_connect+0x6e/0xb0
       do_syscall_64+0xa0/0x570
       entry_SYSCALL_64_after_hwframe+0x74/0x7c

-> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
       check_prev_add+0xe9/0xc70
       __lock_acquire+0x1457/0x1df0
       lock_acquire+0xf7/0x2c0
       lock_sock_nested+0x36/0xd0
       sco_connect_cfm+0x358/0x8d0
       hci_sync_conn_complete_evt+0x3d3/0x8e0
       hci_event_packet+0x74f/0xb10
       hci_rx_work+0x398/0xd00
       process_scheduled_works+0xb16/0x1ac0
       worker_thread+0x4ff/0xba0
       kthread+0x368/0x490
       ret_from_fork+0x498/0x7e0
       ret_from_fork_asm+0x19/0x30

other info that might help us debug this:

...
BUG: sleeping function called from invalid context at net/core/sock.c:3782
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 117, name: kworker/u5:2
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
INFO: lockdep is turned off.
CPU: 0 UID: 0 PID: 117 Comm: kworker/u5:2 Not tainted 7.0.0-rc2-g6320f7500a9b #1 PREEMPT(lazy) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Workqueue: hci0 hci_rx_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x49/0x60
 __might_resched+0x2ea/0x500
 lock_sock_nested+0x47/0xd0
 ? sco_connect_cfm+0x358/0x8d0
 sco_connect_cfm+0x358/0x8d0
 ? hci_debugfs_create_conn+0x190/0x210
 ? __pfx_sco_connect_cfm+0x10/0x10
 hci_sync_conn_complete_evt+0x3d3/0x8e0
 hci_event_packet+0x74f/0xb10
 ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
 ? __pfx_hci_event_packet+0x10/0x10
 ? mark_held_locks+0x49/0x80
 ? lockdep_hardirqs_on_prepare+0xd4/0x180
 ? _raw_spin_unlock_irqrestore+0x2c/0x50
 hci_rx_work+0x398/0xd00
 process_scheduled_works+0xb16/0x1ac0
 ? __pfx_process_scheduled_works+0x10/0x10
 ? lock_acquire+0xf7/0x2c0
 ? lock_is_held_type+0x9b/0x110
 ? __pfx_hci_rx_work+0x10/0x10
 worker_thread+0x4ff/0xba0
 ? _raw_spin_unlock_irqrestore+0x2c/0x50
 ? __pfx_worker_thread+0x10/0x10
 kthread+0x368/0x490
 ? _raw_spin_unlock_irq+0x23/0x40
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x498/0x7e0
 ? __pfx_ret_from_fork+0x10/0x10
 ? __switch_to+0x9e4/0xe50
 ? __switch_to_asm+0x32/0x60
...
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0

[github-actions]

TestRunner_ioctl-tester
Desc: Run ioctl-tester with test-runner
Duration: 10.06 seconds
Result: PASS

[github-actions]

TestRunner_mesh-tester
Desc: Run mesh-tester with test-runner
Duration: 11.46 seconds
Result: FAIL
Output:

Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    1.855 seconds
Mesh - Send cancel - 2                               Timed out    1.999 seconds

[github-actions]

TestRunner_smp-tester
Desc: Run smp-tester with test-runner
Duration: 8.49 seconds
Result: PASS

[github-actions]

TestRunner_userchan-tester
Desc: Run userchan-tester with test-runner
Duration: 6.51 seconds
Result: PASS

[github-actions]

TestRunner_6lowpan-tester
Desc: Run 6lowpan-tester with test-runner
Duration: 8.52 seconds
Result: FAIL
Output:

WARNING: possible circular locking dependency detected
7.0.0-rc2-g6320f7500a9b #1 Not tainted
------------------------------------------------------
kworker/0:1/11 is trying to acquire lock:
ffff8880026e4940 ((wq_completion)hci0#2){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x75/0x180

but task is already holding lock:
ffffffff9344d720 (rtnl_mutex){+.+.}-{4:4}, at: lowpan_unregister_netdev+0xd/0x30

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #4 (rtnl_mutex){+.+.}-{4:4}:
       lock_acquire+0xf7/0x2c0
       __mutex_lock+0x16b/0x1fc0
       lowpan_register_netdev+0x11/0x30
       chan_ready_cb+0x836/0xd00
       l2cap_recv_frame+0x6a06/0x8920
       l2cap_recv_acldata+0x790/0xdf0
       hci_rx_work+0x500/0xd00
       process_scheduled_works+0xb16/0x1ac0
       worker_thread+0x4ff/0xba0
       kthread+0x368/0x490
       ret_from_fork+0x498/0x7e0
       ret_from_fork_asm+0x19/0x30

-> #3 (&chan->lock#3/1){+.+.}-{4:4}:
       lock_acquire+0xf7/0x2c0
       __mutex_lock+0x16b/0x1fc0
       l2cap_chan_connect+0x74e/0x1980
       lowpan_control_write+0x523/0x660
       full_proxy_write+0x10b/0x190
       vfs_write+0x1c0/0xf60
       ksys_write+0xf1/0x1d0
       do_syscall_64+0xa0/0x570
       entry_SYSCALL_64_after_hwframe+0x74/0x7c

-> #2 (&conn->lock){+.+.}-{4:4}:
...
Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0

[github-actions]

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 0.26 seconds
Result: PENDING