| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251120021217.87602-1-incogcyberpunk@gmail.com>
Date: Thu, 20 Nov 2025 07:57:17 +0545
From: Incog <incogcyberpunk@...il.com>
To: dianders@...omium.org
Cc: angelogioacchino.delregno@...labora.com,
incogcyberpunk@...ton.me,
johan.hedberg@...il.com,
linux-arm-kernel@...ts.infradead.org,
linux-bluetooth@...r.kernel.org,
linux-kernel@...r.kernel.org,
linux-mediatek@...ts.infradead.org,
luiz.dentz@...il.com,
marcel@...tmann.org,
matthias.bgg@...il.com,
regressions@...mhuis.info,
regressions@...ts.linux.dev,
sean.wang@...iatek.com
Subject: Re: [PATCH] Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref
From: IncogCyberpunk <incogcyberpunk@...ton.me>
On Wed, 19 Nov 2025 08:53:55 -0800 , Douglas Anderson <dianders@...omium.org> wrote:
> In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to:
> usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM)
>
> That function can return NULL in some cases. Even when it returns
> NULL, though, we still go on to call btusb_mtk_claim_iso_intf().
>
> As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for
> usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf()
> when `btmtk_data->isopkt_intf` is NULL will cause a crash because
> we'll end up passing a bad pointer to device_lock(). Prior to that
> commit we'd pass the NULL pointer directly to
> usb_driver_claim_interface() which would detect it and return an
> error, which was handled.
>
> Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check
> at the start of the function. This makes the code handle a NULL
> `btmtk_data->isopkt_intf` the same way it did before the problematic
> commit (just with a slight change to the error message printed).
Proposed patch:
> index a722446ec73d..1466e0f1865d 100644
> --- a/drivers/bluetooth/btusb.c
> +++ b/drivers/bluetooth/btusb.c
> @@ -2714,6 +2714,11 @@ static void btusb_mtk_claim_iso_intf(struct btusb_data *data)
> struct btmtk_data *btmtk_data = hci_get_priv(data->hdev);
> int err;
>
> + if (!btmtk_data->isopkt_intf) {
> + bt_dev_err(data->hdev, "Can't claim NULL iso interface");
> + return;
> + }
> +
> /*
> * The function usb_driver_claim_interface() is documented to need
> * locks held if it's not called from a probe routine. The code here
I tested this patch by manually updating the drivers/bluetooth/btusb.c file with the proposed patches as above ; which solves a REGRESSION issue `bluetooth adapter provided by btusb not being recognized and hence bluetooth not working` since kernel version 6.13.2 .
This REGRESSION issue has been present in both the stable and the mainline kernels since 6.13.2 release due to the below mentioned commit in v6.13.2 :
Troublesome Commit Details:
- Title: Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()
- commit id: 4194766ec8756f4f654d595ae49962acbac49490
- [ Upstream commit e9087e828827e5a5c85e124ce77503f2b81c3491 ]
- Author: Douglas Anderson <dianders@...omium.org>
- Date: Wed Jan 15 19:36:36 2025 -0800
Tested-by: IncogCyberpunk <incogcyberpunk@...ton.me>
Regards,
IncogCyberpunk
Powered by blists - more mailing lists