From nobody Tue Dec 2 02:19:23 2025 Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE59B30E82B for ; Wed, 19 Nov 2025 17:30:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763573431; cv=none; b=TTbASKO92tlp+cQlmJz+GfZ0Es0eT06Lbtcp4PsDI+pD81OzXR9lQkOPMQdeHzU5drmsPB0pDEkfIC0LcxgAdgzNZKJeb17X0tfAcPWLp8qsaql25hRGdygpv63rydZ8Gf8vdWmWmRrvIPRLhTDQa5NKUZpFhZv8B6Lew6atXHA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763573431; c=relaxed/simple; bh=DulPoKHD+kYa5guw7XEkGvzu8pnfnuu0PPM1s5kskN4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=b7N1z+Ox7wfBzb1PsZwF9jvtIJLFRohgN3X8/6qMGHRHllB0huaT/TnHB1WYGsRnHH9SotFTakbKo+FNPFkrn6fqVdMyRKSK7moEZhRPWxlfDwLLJNXAqy6MmuiU360mrnWkI1jt/nmBqqc721e0tf7lkviyNeMWw4yJXNtk3I0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=EmxSzog7; arc=none smtp.client-ip=209.85.210.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="EmxSzog7" Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-7bb3092e4d7so5608015b3a.0 for ; Wed, 19 Nov 2025 09:30:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1763573428; x=1764178228; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=TMBoUXycCoalUx2IdYMe60O4++ie5VkCIVBelZSQqfI=; b=EmxSzog798Qfj0NotnANKv5JYaZtqe1vtWP9+KsOqQxFZT2hzsuqqW2CQbq9c6tBNg 1A1/erP461sZyZ5rvIRQCNlmwenODACzdyy5THo4lhD2aJWjtxZsJAoRqkVdWlOyT1Jq MNyY3GbJ9KIQhLN0qOI/+7ZWf+kLFdn0BC/5o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763573428; x=1764178228; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=TMBoUXycCoalUx2IdYMe60O4++ie5VkCIVBelZSQqfI=; b=ONX6Lrm8E0sfMp2/clqQFKVPetbIUvXoVzHbD1Hq/VDdCe8jeSN1xmVrfhBRhpQLh2 q0TubC+d7E3Va3Lf0cqqyn2l8uNDYA7hI9fYcdts5CM9+VDpZBQmEW4lvaEmdqn5RF90 eET5MTo6aByG2xXnGRPgb8p2cM5zER732imFweqbd+lxm+ipqTeM92omQJ1hWMa9PPWN XLfwQhCoV7qkg6zjQRZaKsLxL6tcGkre80R2PFo+08+fkSHmnhmqX4lWKETVZkGH/8ty 6L8MxwHmeX73/esPY8ZJBnEpROw28N6TGK9P3Zozxn7lVtpFjT2uKtDQkpfG90bkpoRX /CuQ== X-Forwarded-Encrypted: i=1; AJvYcCVKEcvTuFZ6N3lwLEL00GGfGrvqTtymvZepfz/A2CJX3ne+k7pJDU8IrO6zrAAP4fMcRsK7uWslFZf1DNI=@vger.kernel.org X-Gm-Message-State: AOJu0YwK6PsIJLRoLOwgqRDtKlPGBmfVhT628Smiwja+OaLa0k4OK0U8 EiOhNQL7bXWtV/5ov8ayvpVg7v3kgPexR5U3peJjK6JNL6ie1Ie/RDWjpBl1xmYRxw== X-Gm-Gg: ASbGncsKtAPqEVrryWTN7dJJlAHFNmIIGqUXezY8CjblQBTcdHPbAsNpxqvImLKTKtk 3w0pbJsn9GNi0OxoONdDVL9cSEfVRYtB3RMWeB6dlYzADoUGCN7MHpzugzoyN7uQwgATiJ/NXqA iR1gNqz9InVBzT3dl313gKtsXlb2oISpGuAF5uiElQ5DbQzcRbJcna0mMXgYsLc/DLXdO53+PlD p7Wil3J03QLeZdLfm2ckJVz1IZuPe6p0aN3VuyhNG3ztk95GgUV9JYx0TVP/v+DUSHFuzPDyDhy TWqX/71Ng3yo+QWJpU0g+qktvfL56FpSeTtPQdxaU7R7nJueZWzjUvuUC2/ZXsQsdWwHnwv1xJI sw9FgvHJaDVhCYB97XM3vBuNCbqpdgzBGMLba0xrs0apgQohonveyrLgbzYzxv94CZnMhP/Kcb5 by3gfYMP1UF85XFWhg++LxVezyncaZE5KK1EKabUul9jj1L4J5lvtgHIGoTb+iOwl4kVyqkrs= X-Google-Smtp-Source: AGHT+IFB2YSTkbyEbeQu8O7Mtor+aeK/rpWG1+Is+9xqP/zrbkSWBMOGAREHyl95i2ctzd/T2DJJ7Q== X-Received: by 2002:aa7:88c9:0:b0:7b8:d12f:90ae with SMTP id d2e1a72fcca58-7c29de3b6f2mr4341114b3a.21.1763573427806; Wed, 19 Nov 2025 09:30:27 -0800 (PST) Received: from dianders.sjc.corp.google.com ([2a00:79e0:2e7c:8:cf0b:c8dd:8f4c:d649]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7b92772e713sm19839792b3a.54.2025.11.19.09.30.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Nov 2025 09:30:27 -0800 (PST) From: Douglas Anderson To: Marcel Holtmann , Luiz Augusto von Dentz , Matthias Brugger , AngeloGioacchino Del Regno Cc: incogcyberpunk@proton.me, regressions@lists.linux.dev, Thorsten Leemhuis , johan.hedberg@gmail.com, sean.wang@mediatek.com, Douglas Anderson , linux-arm-kernel@lists.infradead.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org Subject: [PATCH v2] Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref Date: Wed, 19 Nov 2025 09:26:42 -0800 Message-ID: <20251119092641.v2.1.I1ae7aebc967e52c7c4be7aa65fbd81736649568a@changeid> X-Mailer: git-send-email 2.52.0.rc1.455.g30608eb744-goog Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to: usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM) That function can return NULL in some cases. Even when it returns NULL, though, we still go on to call btusb_mtk_claim_iso_intf(). As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf() when `btmtk_data->isopkt_intf` is NULL will cause a crash because we'll end up passing a bad pointer to device_lock(). Prior to that commit we'd pass the NULL pointer directly to usb_driver_claim_interface() which would detect it and return an error, which was handled. Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check at the start of the function. This makes the code handle a NULL `btmtk_data->isopkt_intf` the same way it did before the problematic commit (just with a slight change to the error message printed). Reported-by: IncogCyberpunk Closes: http://lore.kernel.org/r/a380d061-479e-4713-bddd-1d6571ca7e86@leemh= uis.info Fixes: e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for usb_driver_= claim_interface()") Signed-off-by: Douglas Anderson --- I have no way to test this commit myself other than to compile it. It looks fairly straightforward, though, so I'm hopeful it will fix the problem. Changes in v2: - Rebase atop commit 529ac8e706c3 ("Bluetooth: ... mtk iso interface") drivers/bluetooth/btusb.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index fcc62e2fb641..683ac02e964b 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -2751,6 +2751,11 @@ static void btusb_mtk_claim_iso_intf(struct btusb_da= ta *data) if (!btmtk_data) return; =20 + if (!btmtk_data->isopkt_intf) { + bt_dev_err(data->hdev, "Can't claim NULL iso interface"); + return; + } + /* * The function usb_driver_claim_interface() is documented to need * locks held if it's not called from a probe routine. The code here --=20 2.52.0.rc1.455.g30608eb744-goog