From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 09F3134DB5C for ; Tue, 16 Dec 2025 15:08:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765897685; cv=none; b=URorjZz6E903eJSCxYymIVefxvrdhQKpnLa1K2fk6yzqKCv0hSlKT6w11zjEGlzujFWOFAAF/oaUuhZRKyAf33fivb7Uh2L0XAYiX0TOYJZlJByXohKDMF0mgArJXNO8SQxY5+N/+3NO/cfWhLwJvSg+MO56GxXiutvnnnCi224= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765897685; c=relaxed/simple; bh=+tybKa8+7YV5uvH0+Fqn3l6FvupgB9PN6a+Dzt94hGs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=S4mYJb3pFNAyIrG3d54tHs5bB6mQJe7bP8k/SRHQWZToHwK6so/+nMGeUNFQVqrK0okeq3fakKQPT5nmNivpitH3+xkDvHvCo/BeP+5c/WqIKolUQanm8mWqZrIj+qINx/XORI3w4vKR+WVop6w4iRDHHbQWjmyECVwr9h0K20I= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=Xx7Y1es9; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="Xx7Y1es9" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7760EC4CEF5; Tue, 16 Dec 2025 15:08:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1765897684; bh=+tybKa8+7YV5uvH0+Fqn3l6FvupgB9PN6a+Dzt94hGs=; h=From:To:Cc:Subject:Date:Reply-To:From; b=Xx7Y1es9DMlpgbJDLdLSETsW7H3gnB6snPlKrGRJMGFLeA2TYTDUQVBeFKhOmv8jR mvyGWVCHZIVDPmZjAmHt1HF4Q1talebljIfhoQTPsztENiXD5hAWCv9XS1rr17GpZf vj3F4t3Kx3jTI/9Om4vAHYYJMfd7QzHB4jmlAxUk= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2025-68306: Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface Date: Tue, 16 Dec 2025 16:07:00 +0100 Message-ID: <2025121645-CVE-2025-68306-e034@gregkh> X-Mailer: git-send-email 2.52.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4477; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=X2+fm/Z5EyDDtaKzd4ASyKTwyEUKCnGnl3dJ5Kjq1+g=; b=owGbwMvMwCRo6H6F97bub03G02pJDJmOpa0sk9/uEH+VlVQoKvv7pqCpyzYN6wWv3t/KytaU+ 2VkP3V5RywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzE35xhDt+JxihrztDKo9/f BlUzRbuu3bznOsM8FfUOly/PtZr+XlwfK/F4bUAXM9t7AA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface When performing reset tests and encountering abnormal card drop issues that lead to a kernel crash, it is necessary to perform a null check before releasing resources to avoid attempting to release a null pointer. <4>[ 29.158070] Hardware name: Google Quigon sku196612/196613 board (DT) <4>[ 29.158076] Workqueue: hci0 hci_cmd_sync_work [bluetooth] <4>[ 29.158154] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) <4>[ 29.158162] pc : klist_remove+0x90/0x158 <4>[ 29.158174] lr : klist_remove+0x88/0x158 <4>[ 29.158180] sp : ffffffc0846b3c00 <4>[ 29.158185] pmr_save: 000000e0 <4>[ 29.158188] x29: ffffffc0846b3c30 x28: ffffff80cd31f880 x27: ffffff80c1bdc058 <4>[ 29.158199] x26: dead000000000100 x25: ffffffdbdc624ea3 x24: ffffff80c1bdc4c0 <4>[ 29.158209] x23: ffffffdbdc62a3e6 x22: ffffff80c6c07000 x21: ffffffdbdc829290 <4>[ 29.158219] x20: 0000000000000000 x19: ffffff80cd3e0648 x18: 000000031ec97781 <4>[ 29.158229] x17: ffffff80c1bdc4a8 x16: ffffffdc10576548 x15: ffffff80c1180428 <4>[ 29.158238] x14: 0000000000000000 x13: 000000000000e380 x12: 0000000000000018 <4>[ 29.158248] x11: ffffff80c2a7fd10 x10: 0000000000000000 x9 : 0000000100000000 <4>[ 29.158257] x8 : 0000000000000000 x7 : 7f7f7f7f7f7f7f7f x6 : 2d7223ff6364626d <4>[ 29.158266] x5 : 0000008000000000 x4 : 0000000000000020 x3 : 2e7325006465636e <4>[ 29.158275] x2 : ffffffdc11afeff8 x1 : 0000000000000000 x0 : ffffffdc11be4d0c <4>[ 29.158285] Call trace: <4>[ 29.158290] klist_remove+0x90/0x158 <4>[ 29.158298] device_release_driver_internal+0x20c/0x268 <4>[ 29.158308] device_release_driver+0x1c/0x30 <4>[ 29.158316] usb_driver_release_interface+0x70/0x88 <4>[ 29.158325] btusb_mtk_release_iso_intf+0x68/0xd8 [btusb (HASH:e8b6 5)] <4>[ 29.158347] btusb_mtk_reset+0x5c/0x480 [btusb (HASH:e8b6 5)] <4>[ 29.158361] hci_cmd_sync_work+0x10c/0x188 [bluetooth (HASH:a4fa 6)] <4>[ 29.158430] process_scheduled_works+0x258/0x4e8 <4>[ 29.158441] worker_thread+0x300/0x428 <4>[ 29.158448] kthread+0x108/0x1d0 <4>[ 29.158455] ret_from_fork+0x10/0x20 <0>[ 29.158467] Code: 91343000 940139d1 f9400268 927ff914 (f9401297) <4>[ 29.158474] ---[ end trace 0000000000000000 ]--- <0>[ 29.167129] Kernel panic - not syncing: Oops: Fatal exception <2>[ 29.167144] SMP: stopping secondary CPUs <4>[ 29.167158] ------------[ cut here ]------------ The Linux kernel CVE team has assigned CVE-2025-68306 to this issue. Affected and fixed versions =========================== Issue introduced in 6.11 with commit ceac1cb0259de682d78f5c784ef8e0b13022e9d9 and fixed in 6.12.61 with commit 421e88a0d85782786b7a1764c75518b4845e07b3 Issue introduced in 6.11 with commit ceac1cb0259de682d78f5c784ef8e0b13022e9d9 and fixed in 6.17.11 with commit faae9f2ea8806f2499186448adbf94689b47b82b Issue introduced in 6.11 with commit ceac1cb0259de682d78f5c784ef8e0b13022e9d9 and fixed in 6.18 with commit 4015b979767125cf8a2233a145a3b3af78bfd8fb Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-68306 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/bluetooth/btusb.c include/net/bluetooth/hci_core.h Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/421e88a0d85782786b7a1764c75518b4845e07b3 https://git.kernel.org/stable/c/faae9f2ea8806f2499186448adbf94689b47b82b https://git.kernel.org/stable/c/4015b979767125cf8a2233a145a3b3af78bfd8fb