{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-54164","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-30T12:06:44.495Z","datePublished":"2025-12-30T12:08:40.357Z","dateUpdated":"2026-05-11T19:56:41.302Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:56:41.302Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: fix iso_conn related locking and validity issues\n\nsk->sk_state indicates whether iso_pi(sk)->conn is valid. Operations\nthat check/update sk_state and access conn should hold lock_sock,\notherwise they can race.\n\nThe order of taking locks is hci_dev_lock > lock_sock > iso_conn_lock,\nwhich is how it is in connect/disconnect_cfm -> iso_conn_del ->\niso_chan_del.\n\nFix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock\naround updating sk_state and conn.\n\niso_conn_del must not occur during iso_connect_cis/bis, as it frees the\niso_conn. Hold hdev->lock longer to prevent that.\n\nThis should not reintroduce the issue fixed in commit 241f51931c35\n(\"Bluetooth: ISO: Avoid circular locking dependency\"), since the we\nacquire locks in order. We retain the fix in iso_sock_connect to release\nlock_sock before iso_connect_* acquires hdev->lock.\n\nSimilarly for commit 6a5ad251b7cd (\"Bluetooth: ISO: Fix possible\ncircular locking dependency\"). We retain the fix in iso_conn_ready to\nnot acquire iso_conn_lock before lock_sock.\n\niso_conn_add shall return iso_conn with valid hcon. Make it so also when\nreusing an old CIS connection waiting for disconnect timeout (see\n__iso_sock_close where conn->hcon is set to NULL).\n\nTrace with iso_conn_del after iso_chan_add in iso_connect_cis:\n===============================================================\niso_sock_create:771: sock 00000000be9b69b7\niso_sock_init:693: sk 000000004dff667e\niso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1\niso_sock_setsockopt:1289: sk 000000004dff667e\niso_sock_setsockopt:1289: sk 000000004dff667e\niso_sock_setsockopt:1289: sk 000000004dff667e\niso_sock_connect:875: sk 000000004dff667e\niso_connect_cis:353: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da\nhci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da\nhci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da\niso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e\n__iso_chan_add:214: conn 00000000daf8625e\niso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12\niso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16\niso_sock_clear_timer:117: sock 000000004dff667e state 3\n    <Note: sk_state is BT_BOUND (3), so iso_connect_cis is still\n    running at this point>\niso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16\nhci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535\nhci_conn_unlink:1102: hci0: hcon 000000007b65d182\nhci_chan_list_flush:2780: hcon 000000007b65d182\niso_sock_getsockopt:1376: sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_getsockopt:1376: sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1\n__iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7\n     <Note: sk_state is BT_CONNECT (5), even though iso_chan_del sets\n     BT_CLOSED (6). Only iso_connect_cis sets it to BT_CONNECT, so it\n     must be that iso_chan_del occurred between iso_chan_add and end of\n     iso_connect_cis.>\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nRIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth\n===============================================================\n\nTrace with iso_conn_del before iso_chan_add in iso_connect_cis:\n===============================================================\niso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da\n...\niso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504\nhci_dev_put:1487: hci0 orig refcnt 21\nhci_event_packet:7607: hci0: e\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/iso.c"],"versions":[{"version":"c524f9561c657b8af26dd4f67092b8928261aa62","lessThan":"e969bfed84c1f88dc722a678ee08488e86f0ec1a","status":"affected","versionType":"git"},{"version":"241f51931c35085449502c10f64fb3ecd6e02171","lessThan":"88ad50f2b843a510bd7c922c0a4e2484aff9d645","status":"affected","versionType":"git"},{"version":"241f51931c35085449502c10f64fb3ecd6e02171","lessThan":"d40ae85ee62e3666f45bc61864b22121346f88ef","status":"affected","versionType":"git"},{"version":"2539cbc625c560d5432e2f0fc04bfe4a889cf737","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/iso.c"],"versions":[{"version":"6.2","status":"affected"},{"version":"0","lessThan":"6.2","status":"unaffected","versionType":"semver"},{"version":"6.1.42","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.4.7","lessThanOrEqual":"6.4.*","status":"unaffected","versionType":"semver"},{"version":"6.5","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.9","versionEndExcluding":"6.1.42"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.4.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e969bfed84c1f88dc722a678ee08488e86f0ec1a"},{"url":"https://git.kernel.org/stable/c/88ad50f2b843a510bd7c922c0a4e2484aff9d645"},{"url":"https://git.kernel.org/stable/c/d40ae85ee62e3666f45bc61864b22121346f88ef"}],"title":"Bluetooth: ISO: fix iso_conn related locking and validity issues","x_generator":{"engine":"bippy-1.2.0"}}}}