From nobody Tue Dec 2 02:04:29 2025 Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D9F522882AA for ; Thu, 20 Nov 2025 16:13:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763655234; cv=none; b=VGbkAg1HKxyRnKB3Gyttn3lf0ecs+P0t400L3iafSBnOvKn96eDHeU/y0uOSKdT24DOcdH1209v9S7N62f2cVuffAOqF5UD4PlDBsw6RUNDwQvCauHk71mm4yd5geErvvnsa0zJw+VzDx0j1+UaZaarzKprUy6mKepL+kefAGtI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763655234; c=relaxed/simple; bh=gN67dPn5HJkDHA9rzNNREU8a/Ke/QYzy2kebu4ZH7qs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=GtBHLXDInYUyzhwKHw+iqQMBOBbvDc+w9S6b9Dd1ESooi6btLSSnoi46S8FI5NlACHodVQnqRSiaDRss0ibRX41rX23l1pbiQqLAIq+cKQqW8F+SSn9GPSZzWIAZXw5EBp21LdMVp8YUshd9y7RGZiQYzyGz/VYfc2OvHg/53Ag= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=G2taClqW; arc=none smtp.client-ip=209.85.215.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="G2taClqW" Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-bd1b0e2c1eeso778009a12.0 for ; Thu, 20 Nov 2025 08:13:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1763655232; x=1764260032; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=yaSUH4/iI6K4vkTA9vG1I3sRuhxHn3+OXrhAbv97RTc=; b=G2taClqWYtKUSxwEEDx58IeMu9UyMJjgb+yYAadw+ZxMczLRv5arrjbM4DxctarPLv Bx/M0GofidmCEXJGRNhp2TpuKOpCbatOpfkW0zRXjqtR5WQkf64+4t/zLnvGLVf4dflf 490KdbQdGvfagPoI0kKMEna3vIwbieOpXJ47I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763655232; x=1764260032; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=yaSUH4/iI6K4vkTA9vG1I3sRuhxHn3+OXrhAbv97RTc=; b=eb7H4RMZllVFCzLdyFEdv8/l0ysyLCc4MZdeIkHFrqXnYfn6aQTw6UaqH522nBBj/b SlcjbaKIo1vg1t+x2Pxsbmqcj8dV1S3WCarpoFQy/kVOmSY10gSkCF3id0WopCzUqrZj Br3pHVurnY5+16DFOO5aJCkYFy2K5pvePEcNKFfzk7dL1CFd6WmZcHAJlbSQpq6sUMSZ 6rXexEfPnfvxDIouG46Iz0/0CCe8jiNjcRS2UOeN1Fr191W5ubwBjJ+24L3YVYeETmd6 gZPk7DpcbBnletsLrf8CvTn0sZslVfZsaz4qIxTtsmPftSDNsEyw+yvKMYbQnYeXL9Xo ORuw== X-Forwarded-Encrypted: i=1; AJvYcCXEGPFal9Nuy1ax8lquwUexa0MyiNzjLiyX7IOpIDlUQXfo1vS2iMOqBmxZyMQ3hP4L8xleZ9Ttefg9imo=@vger.kernel.org X-Gm-Message-State: AOJu0YxG4bXeSQBRdHEveFIp1WOWahzXyKypnAOaM32Pd/GQPlcWnmWZ 8TH3gE4tzh4gPAoAL9a314Io3WtKlUJKWOpCnMhT9mhKYNhtFkUglpqAQHQnm6Cbkg== X-Gm-Gg: ASbGncvgAGdEJxUrnIHTsfShsxjiUgzpPu3YRkhmk4vjX11dQRL2uYR4fES6Ph2OUjQ SukaA7ac5MEgjhrUHDwWm9YV2/txpOkCqN61ksQPzkE7yqM8omktXyrwsZ1qvpWMB3uwwfu1GiO gFqp7+6KYFtakybNfmNdTSxcjCPpZEZ4srL4q6NXJuX1jbmmkLPt20gYYvrJQYPZACE+gmnaAdj 9tjS3CH+0aAVyqPbstz/N6uB55vW1YTfPZDRlYpfmvKp8WmUhJn7HhFmxoOj8SeLvU4VQWDNrnS kisknvXN9zRZzmnpLMDGS/SsqUSmZ7qHA/4wjuvH0xSOkdlu8zTXKfVgh87skRA3CwrUSPHs6s6 Qpf1hEBPbT6t+HFeDMdrWNwHeld/xqN9Jb3OQ+lprE+oxOGfYl5P4E3/gVUMLnQNo9hsB10ep1f w6qGXkVEJRkWz66ObAhrEEmtnVwYmfEMZsL1oCKpTk23QlAkebmVOE8LsOhKMJItf3vN2LQqs= X-Google-Smtp-Source: AGHT+IHXE1Lf/Npuwj0zFjBOEWKicuzA3UumJeheDegj7w9jH2aGLxpoO1AX2E47uPWOL3GSil4eRA== X-Received: by 2002:a05:7022:b88:b0:11b:9386:826b with SMTP id a92af1059eb24-11c938a5da8mr1482106c88.48.1763655232027; Thu, 20 Nov 2025 08:13:52 -0800 (PST) Received: from dianders.sjc.corp.google.com ([2a00:79e0:2e7c:8:b075:e64a:7168:da0e]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2a6fc3d0bb6sm14316777eec.2.2025.11.20.08.13.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 20 Nov 2025 08:13:51 -0800 (PST) From: Douglas Anderson To: Marcel Holtmann , Luiz Augusto von Dentz , Matthias Brugger , AngeloGioacchino Del Regno Cc: Thorsten Leemhuis , regressions@lists.linux.dev, incogcyberpunk@proton.me, johan.hedberg@gmail.com, sean.wang@mediatek.com, Douglas Anderson , stable@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org Subject: [PATCH v3] Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref Date: Thu, 20 Nov 2025 08:12:28 -0800 Message-ID: <20251120081227.v3.1.I1ae7aebc967e52c7c4be7aa65fbd81736649568a@changeid> X-Mailer: git-send-email 2.52.0.rc1.455.g30608eb744-goog Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to: usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM) That function can return NULL in some cases. Even when it returns NULL, though, we still go on to call btusb_mtk_claim_iso_intf(). As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf() when `btmtk_data->isopkt_intf` is NULL will cause a crash because we'll end up passing a bad pointer to device_lock(). Prior to that commit we'd pass the NULL pointer directly to usb_driver_claim_interface() which would detect it and return an error, which was handled. Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check at the start of the function. This makes the code handle a NULL `btmtk_data->isopkt_intf` the same way it did before the problematic commit (just with a slight change to the error message printed). Reported-by: IncogCyberpunk Closes: http://lore.kernel.org/r/a380d061-479e-4713-bddd-1d6571ca7e86@leemh= uis.info Fixes: e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for usb_driver_= claim_interface()") Cc: stable@vger.kernel.org Tested-by: IncogCyberpunk Signed-off-by: Douglas Anderson Reviewed-by: Paul Menzel --- Changes in v3: - Added Cc to stable. - Added IncogCyberpunk Tested-by tag. - v2: https://patch.msgid.link/20251119092641.v2.1.I1ae7aebc967e52c7c4be7aa= 65fbd81736649568a@changeid Changes in v2: - Rebase atop commit 529ac8e706c3 ("Bluetooth: ... mtk iso interface") - v1: https://patch.msgid.link/20251119085354.1.I1ae7aebc967e52c7c4be7aa65f= bd81736649568a@changeid drivers/bluetooth/btusb.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index fcc62e2fb641..683ac02e964b 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -2751,6 +2751,11 @@ static void btusb_mtk_claim_iso_intf(struct btusb_da= ta *data) if (!btmtk_data) return; =20 + if (!btmtk_data->isopkt_intf) { + bt_dev_err(data->hdev, "Can't claim NULL iso interface"); + return; + } + /* * The function usb_driver_claim_interface() is documented to need * locks held if it's not called from a probe routine. The code here --=20 2.52.0.rc1.455.g30608eb744-goog