Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to: usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM) That function can return NULL in some cases. Even when it returns NULL, though, we still go on to call btusb_mtk_claim_iso_intf(). As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf() when `btmtk_data->isopkt_intf` is NULL will cause a crash because we'll end up passing a bad pointer to device_lock(). Prior to that commit we'd pass the NULL pointer directly to usb_driver_claim_interface() which would detect it and return an error, which was handled. Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check at the start of the function. This makes the code handle a NULL `btmtk_data->isopkt_intf` the same way it did before the problematic commit (just with a slight change to the error message printed).
Product status
930e1790b99e5839e1af69d2f7fd808f1fba2df9 (git) before 2fa09fe98ca3b114d66285f65f7e108fea131815
e9087e828827e5a5c85e124ce77503f2b81c3491 (git) before c3b990e0b23068da65f0004cd38ee31f43f36460
e9087e828827e5a5c85e124ce77503f2b81c3491 (git) before c884a0b27b4586e607431d86a1aa0bb4fb39169c
4194766ec8756f4f654d595ae49962acbac49490 (git)
6.14
Any version before 6.14
6.12.61 (semver)
6.17.11 (semver)
6.18 (original_commit_for_fix)
References
git.kernel.org/...c/2fa09fe98ca3b114d66285f65f7e108fea131815
git.kernel.org/...c/c3b990e0b23068da65f0004cd38ee31f43f36460
git.kernel.org/...c/c884a0b27b4586e607431d86a1aa0bb4fb39169c
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
