Bluetooth: ISO: Fix UAF on iso_sock_timeout

jira LE-2177
cve CVE-2024-50124
Rebuild_History Non-Buildable kernel-5.14.0-503.19.1.el9_5
commit-author Luiz Augusto von Dentz <[email protected]>
commit 246b435

conn->sk maybe have been unlinked/freed while waiting for iso_conn_lock
so this checks if the conn->sk is still valid by checking if it part of
iso_sk_list.

Fixes: ccf74f2 ("Bluetooth: Add BTPROTO_ISO socket type")
	Signed-off-by: Luiz Augusto von Dentz <[email protected]>
(cherry picked from commit 246b435)
	Signed-off-by: Jonathan Maple <[email protected]>

Author: PlaidCat

net/bluetooth/iso.c

@@ -92,16 +92,24 @@ static struct sock *iso_get_sock_listen(bdaddr_t *src, bdaddr_t *dst,
 #define ISO_CONN_TIMEOUT	(HZ * 40)
 #define ISO_DISCONN_TIMEOUT	(HZ * 2)
 
+static struct sock *iso_sock_hold(struct iso_conn *conn)
+{
+	if (!conn || !bt_sock_linked(&iso_sk_list, conn->sk))
+		return NULL;
+
+	sock_hold(conn->sk);
+
+	return conn->sk;
+}
+
 static void iso_sock_timeout(struct work_struct *work)
 {
 	struct iso_conn *conn = container_of(work, struct iso_conn,
 					     timeout_work.work);
 	struct sock *sk;
 
 	iso_conn_lock(conn);
-	sk = conn->sk;
-	if (sk)
-		sock_hold(sk);
+	sk = iso_sock_hold(conn);
 	iso_conn_unlock(conn);
 
 	if (!sk)
@@ -219,9 +227,7 @@ static void iso_conn_del(struct hci_conn *hcon, int err)
 
 	/* Kill socket */
 	iso_conn_lock(conn);
-	sk = conn->sk;
-	if (sk)
-		sock_hold(sk);
+	sk = iso_sock_hold(conn);
 	iso_conn_unlock(conn);
 
 	if (sk) {