From nobody Tue Dec  2 02:19:23 2025
Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com
 [209.85.210.170])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C0F6281358
	for <linux-kernel@vger.kernel.org>; Wed, 19 Nov 2025 16:54:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.170
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1763571265; cv=none;
 b=R2JMsVKNKLiMZ0/UTV3DfS9GEs9DcPOaseHJteyXCwWK5Qju86FMjHdDy8UEp+iA2dKJQcrOigxfGowxRWkMCNO58SMdBjYKkjW+zO7YlWIe6szOMOJO1R2/HTbeJlQ2gHA1EeljaF+5+XwvW99og/YznjpKd7FiL5Z63lK+zGc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1763571265; c=relaxed/simple;
	bh=h4wdFPYGSI5IgxCym5OqjAQMc9s/zRmY7IaPrPtm9Xg=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=gTg3IzFG/0AcBtga1ybA2Vl0DudFp3pWfJ4171/XBfR6kBkJXNtT6H2qXU04bBMOUwF6QFq7JeJuFkIjk6L6h5HZKacaQRf5PjAAXNrcXTeoblVYKSTWdgUXOquNPruPRiFiXp+FQLbjzNVXW2oHMNln79R9HVELu5v7pk50z6s=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=QZTRw0lg; arc=none smtp.client-ip=209.85.210.170
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="QZTRw0lg"
Received: by mail-pf1-f170.google.com with SMTP id
 d2e1a72fcca58-7b8bbf16b71so7893842b3a.2
        for <linux-kernel@vger.kernel.org>;
 Wed, 19 Nov 2025 08:54:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1763571263; x=1764176063;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=BNHinq4/2cTHhTy5HKSefqHwCj7EyOMXN8DmFkxYCE0=;
        b=QZTRw0lgygfUcXX0/LdSoUU/gtp7hUafNRwCtcHEHVW003IsFA+A0hWlU2at2Vjdmz
         eW4QeVVZnX6r3wpStkrWnTZDQHqILy2ojKqaFYLNNQvdMYRNpb5E5iHSaMg0KANuLQAu
         aKbNXrbrIftIj+/RfO3WIjQ+vFYCKUMnCGW9M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763571263; x=1764176063;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=BNHinq4/2cTHhTy5HKSefqHwCj7EyOMXN8DmFkxYCE0=;
        b=UFywf28dkHmoZU6aY4iVBPlISmGR/P0y7fEhiKrnXW+jD3Nk3gZSfN+A4GwdN76GCu
         K6o9t2i9OcQSlpw533P0v6PdPHb1lsPrhVsmNHzlELU8uz13iBi3kBEp78b0M9uYhcHH
         rOsGBRCEsCnbr9gML6mNo1hMIUqbEwaMvFUeenzs6Ckmti017IAHfTn66myLdBRzTDy8
         WaCXBBIJLNr2FrZvrVkHoxiL4vKkq3O5eYKP1VFwcRmPx95jkQIlceGzt5MAYaiOcIkR
         oerrSA02BR9HzvTQXfyiqdoXqDFCOtBYbOr35AMoJWIaqCRAjWM3rLxjfM/3F8jb111f
         JxIQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCUN3f3EYvSEXB+6IbRsS2yxr5uMu/Tcpc8SQOpA1Iq+XZQS9QhtVpZ6ZeuuhNYqcSnsiKx3ebqTVM9N5OE=@vger.kernel.org
X-Gm-Message-State: AOJu0Yz0ckmVL+8LTx91Oh/wEo/fF6+tichoSFs8O3tBKN1BUZETs4UW
	KONsnMEOuDWBhGQ8t54Jz0ig/jtfSrIgvTbpYlLLCDUYk+fgBYn3b6XdUTE7OeoLFg==
X-Gm-Gg: ASbGncv0j2Le4n2LRmeOPQGh5boD8/0wkvzdMsWqkVAZt13XlZ8DyI2egdcUJHxdNe2
	rw5MC2ppRe/EVkTOuj+7YmajNtzyGxoar9fId6Uy3YZq1zCcwWQt9+fvCq0PgAYBPT7UMF/HxgF
	Wwlmrh+So2LGAA0t+gg3Z9RGYMQ7OJgC70FrRQWhOS4uIFZp2ew62+2qh61VGyHlNFSwUtm+chD
	GOaotcOVWer3EqEnaGvu0pVMVvPez3Q4VAhXld7DhTsVphCZXl4n5iLMNFEjj1U2N/gQiIz1n50
	MZ0/STsjT2LoKoA277NtM2gTwjFgaZX7STlG12IaWnozESoKDI1Gkv5VW3W8t8EVU6RBKhyvYMm
	5sj/lLwwiofdXUzNHPPX32tCjmah2BPMbIt8KvfYLSb4iUdtDQouEOm797JccMUuNtAOwKMxwum
	1xHMFTlgTsIDUf/SQGRs5LYijNtDOsCDNuSYBguRlzku6aALTNIR6TKafn/0QSXJIAjuy4zxVt/
	w+8FKGYbg==
X-Google-Smtp-Source: 
 AGHT+IG6Mf8qsXvOK1ixMYCQNU/FYpCBumYnKBfjBKtdbVbifmpntuvtxBUSy93dyel1BQ7M/vgfNA==
X-Received: by 2002:a05:7022:eac7:b0:11a:a20a:4413 with SMTP id
 a92af1059eb24-11c93887b01mr7150c88.31.1763571262673;
        Wed, 19 Nov 2025 08:54:22 -0800 (PST)
Received: from dianders.sjc.corp.google.com
 ([2a00:79e0:2e7c:8:cf0b:c8dd:8f4c:d649])
        by smtp.gmail.com with ESMTPSA id
 a92af1059eb24-11b0608860fsm61967659c88.5.2025.11.19.08.54.21
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 19 Nov 2025 08:54:21 -0800 (PST)
From: Douglas Anderson <dianders@chromium.org>
To: Marcel Holtmann <marcel@holtmann.org>,
	Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
	Matthias Brugger <matthias.bgg@gmail.com>,
	AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Cc: Thorsten Leemhuis <regressions@leemhuis.info>,
	incogcyberpunk@proton.me,
	johan.hedberg@gmail.com,
	regressions@lists.linux.dev,
	sean.wang@mediatek.com,
	Douglas Anderson <dianders@chromium.org>,
	linux-arm-kernel@lists.infradead.org,
	linux-bluetooth@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-mediatek@lists.infradead.org
Subject: [PATCH] Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf()
 NULL deref
Date: Wed, 19 Nov 2025 08:53:55 -0800
Message-ID: 
 <20251119085354.1.I1ae7aebc967e52c7c4be7aa65fbd81736649568a@changeid>
X-Mailer: git-send-email 2.52.0.rc1.455.g30608eb744-goog
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to:
  usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM)

That function can return NULL in some cases. Even when it returns
NULL, though, we still go on to call btusb_mtk_claim_iso_intf().

As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for
usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf()
when `btmtk_data->isopkt_intf` is NULL will cause a crash because
we'll end up passing a bad pointer to device_lock(). Prior to that
commit we'd pass the NULL pointer directly to
usb_driver_claim_interface() which would detect it and return an
error, which was handled.

Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check
at the start of the function. This makes the code handle a NULL
`btmtk_data->isopkt_intf` the same way it did before the problematic
commit (just with a slight change to the error message printed).

Reported-by: IncogCyberpunk <incogcyberpunk@proton.me>
Closes: http://lore.kernel.org/r/a380d061-479e-4713-bddd-1d6571ca7e86@leemh=
uis.info
Fixes: e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for usb_driver_=
claim_interface()")
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Tested-by: IncogCyberpunk <incogcyberpunk@proton.me>
---
I have no way to test this commit myself other than to compile it. It
looks fairly straightforward, though, so I'm hopeful it will fix the
problem.

 drivers/bluetooth/btusb.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index a722446ec73d..1466e0f1865d 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2714,6 +2714,11 @@ static void btusb_mtk_claim_iso_intf(struct btusb_da=
ta *data)
 	struct btmtk_data *btmtk_data =3D hci_get_priv(data->hdev);
 	int err;
=20
+	if (!btmtk_data->isopkt_intf) {
+		bt_dev_err(data->hdev, "Can't claim NULL iso interface");
+		return;
+	}
+
 	/*
 	 * The function usb_driver_claim_interface() is documented to need
 	 * locks held if it's not called from a probe routine. The code here
--=20
2.52.0.rc1.455.g30608eb744-goog