Skip to content

Bluetooth: ISO: Fix issue with CIG being terminated #97285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Bluetooth: ISO: Fix issue with CIG being terminated #97285

wants to merge 1 commit into from
+1 −2

Conversation

Thalley
Copy link
Contributor

@Thalley Thalley commented Oct 9, 2025
edited
Loading

In the case of a CIG having multiple CIS, and all CIS has been requested to being disconnected (i.e. they all enter the BT_ISO_STATE_DISCONNECTING state), then when the first disconnect complete is handled in bt_iso_chan_disconnected, then the cig->state was prematurely set to BT_ISO_CIG_STATE_INACTIVE. This meant that if the application called bt_iso_cig_terminate when the 2nd CIS entered bt_iso_chan_disconnected and called chan->ops->disconnected(chan, reason) then the CIG would be removed. When the CIS then entered bt_iso_cleanup_acl, it would access removed data from cleanup_cig.

Change bt_iso_chan_disconnected to not allow the termination of the CIG until all CIS have entered the BT_ISO_STATE_DISCONNECTED state.

fixes #96155

@Thalley
Bluetooth: ISO: Fix issue with CIG being terminated
b75f069 
In the case of a CIG having multiple CIS, and all CIS has been
requested to being disconnected (i.e. they all enter the
BT_ISO_STATE_DISCONNECTING state), then when the first disconnect
complete is handled in bt_iso_chan_disconnected, then the
cig->state was prematurely set to BT_ISO_CIG_STATE_INACTIVE.
This meant that if the application called bt_iso_cig_terminate
when the 2nd CIS entered bt_iso_chan_disconnected and called
chan->ops->disconnected(chan, reason) then the CIG would be
removed. When the CIS then entered bt_iso_cleanup_acl, it
would access removed data from cleanup_cig.

Change bt_iso_chan_disconnected to not allow the termination
of the CIG until all CIS have entered the BT_ISO_STATE_DISCONNECTED
state.

Signed-off-by: Emil Gydesen <[email protected]>
@Thalley Thalley marked this pull request as ready for review October 9, 2025 15:22
@Thalley Thalley requested review from Copilot and sjanc October 9, 2025 15:22
@Thalley Thalley self-assigned this Oct 9, 2025
@zephyrbot zephyrbot added area: Bluetooth area: Bluetooth ISO Bluetooth LE Isochronous Channels area: Bluetooth Host Bluetooth Host (excluding BR/EDR) area: Tests Issues related to a particular existing or missing test labels Oct 9, 2025
Copilot
Copilot AI reviewed Oct 9, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a race condition in Bluetooth ISO CIG (Connected Isochronous Group) termination where a CIG could be prematurely terminated while CIS (Connected Isochronous Stream) channels were still disconnecting, leading to potential access of freed memory.

  • Modified the CIG termination logic to wait for all CIS channels to reach BT_ISO_STATE_DISCONNECTED before allowing termination
  • Added test coverage to verify that bt_iso_cig_terminate correctly fails when CIS channels are still connected

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
subsys/bluetooth/host/iso.c Fixed the state check to prevent premature CIG termination by waiting for all channels to be fully disconnected
tests/bsim/bluetooth/host/iso/cis/src/cis_central.c Added test logic to track connected channels and verify CIG termination behavior

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@Thalley Thalley force-pushed the iso_disconnect_cig_state_fix branch 2 times, most recently from 163a750 to b75f069 Compare October 10, 2025 15:32
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Thalley
Copy link
Contributor Author

Thalley commented Oct 10, 2025

Will follow up with a test that ensures this fix as well as enuring correct behavior in the future

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cvinayak cvinayak cvinayak approved these changes

@jhedberg jhedberg Awaiting requested review from jhedberg

@rugeGerritsen rugeGerritsen Awaiting requested review from rugeGerritsen

At least 2 approving reviews are required to merge this pull request.

Assignees

@Thalley Thalley

Labels

area: Bluetooth Host Bluetooth Host (excluding BR/EDR) area: Bluetooth ISO Bluetooth LE Isochronous Channels area: Bluetooth area: Tests Issues related to a particular existing or missing test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bluetooth: ISO: Null pointer deference in iso.c on link disconnect

3 participants

@Thalley @cvinayak @zephyrbot