{"id":"CVE-2023-54164","summary":"Bluetooth: ISO: fix iso_conn related locking and validity issues","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: fix iso_conn related locking and validity issues\n\nsk-\u003esk_state indicates whether iso_pi(sk)-\u003econn is valid. Operations\nthat check/update sk_state and access conn should hold lock_sock,\notherwise they can race.\n\nThe order of taking locks is hci_dev_lock \u003e lock_sock \u003e iso_conn_lock,\nwhich is how it is in connect/disconnect_cfm -\u003e iso_conn_del -\u003e\niso_chan_del.\n\nFix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock\naround updating sk_state and conn.\n\niso_conn_del must not occur during iso_connect_cis/bis, as it frees the\niso_conn. Hold hdev-\u003elock longer to prevent that.\n\nThis should not reintroduce the issue fixed in commit 241f51931c35\n(\"Bluetooth: ISO: Avoid circular locking dependency\"), since the we\nacquire locks in order. We retain the fix in iso_sock_connect to release\nlock_sock before iso_connect_* acquires hdev-\u003elock.\n\nSimilarly for commit 6a5ad251b7cd (\"Bluetooth: ISO: Fix possible\ncircular locking dependency\"). We retain the fix in iso_conn_ready to\nnot acquire iso_conn_lock before lock_sock.\n\niso_conn_add shall return iso_conn with valid hcon. Make it so also when\nreusing an old CIS connection waiting for disconnect timeout (see\n__iso_sock_close where conn-\u003ehcon is set to NULL).\n\nTrace with iso_conn_del after iso_chan_add in iso_connect_cis:\n===============================================================\niso_sock_create:771: sock 00000000be9b69b7\niso_sock_init:693: sk 000000004dff667e\niso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1\niso_sock_setsockopt:1289: sk 000000004dff667e\niso_sock_setsockopt:1289: sk 000000004dff667e\niso_sock_setsockopt:1289: sk 000000004dff667e\niso_sock_connect:875: sk 000000004dff667e\niso_connect_cis:353: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\nhci_get_route:1199: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\nhci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da\niso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e\n__iso_chan_add:214: conn 00000000daf8625e\niso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12\niso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16\niso_sock_clear_timer:117: sock 000000004dff667e state 3\n    \u003cNote: sk_state is BT_BOUND (3), so iso_connect_cis is still\n    running at this point\u003e\niso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16\nhci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535\nhci_conn_unlink:1102: hci0: hcon 000000007b65d182\nhci_chan_list_flush:2780: hcon 000000007b65d182\niso_sock_getsockopt:1376: sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_getsockopt:1376: sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1\n__iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7\n     \u003cNote: sk_state is BT_CONNECT (5), even though iso_chan_del sets\n     BT_CLOSED (6). Only iso_connect_cis sets it to BT_CONNECT, so it\n     must be that iso_chan_del occurred between iso_chan_add and end of\n     iso_connect_cis.\u003e\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nRIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth\n===============================================================\n\nTrace with iso_conn_del before iso_chan_add in iso_connect_cis:\n===============================================================\niso_connect_cis:356: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\n...\niso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504\nhci_dev_put:1487: hci0 orig refcnt 21\nhci_event_packet:7607: hci0: e\n---truncated---","modified":"2026-03-31T17:30:00.637996Z","published":"2025-12-30T12:08:40.357Z","related":["SUSE-SU-2026:0263-1","SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:0317-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54164.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/88ad50f2b843a510bd7c922c0a4e2484aff9d645"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d40ae85ee62e3666f45bc61864b22121346f88ef"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e969bfed84c1f88dc722a678ee08488e86f0ec1a"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54164.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54164"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c524f9561c657b8af26dd4f67092b8928261aa62"},{"fixed":"e969bfed84c1f88dc722a678ee08488e86f0ec1a"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"241f51931c35085449502c10f64fb3ecd6e02171"},{"fixed":"88ad50f2b843a510bd7c922c0a4e2484aff9d645"},{"fixed":"d40ae85ee62e3666f45bc61864b22121346f88ef"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"2539cbc625c560d5432e2f0fc04bfe4a889cf737"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54164.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.42"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.4.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54164.json"}}],"schema_version":"1.7.5"}