{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21827", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.776Z", "datePublished": "2025-03-06T16:04:32.951Z", "dateUpdated": "2025-03-24T15:41:00.237Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-03-24T15:41:00.237Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()\n\nThe documentation for usb_driver_claim_interface() says that \"the\ndevice lock\" is needed when the function is called from places other\nthan probe(). This appears to be the lock for the USB interface\ndevice. The Mediatek btusb code gets called via this path:\n\n Workqueue: hci0 hci_power_on [bluetooth]\n Call trace:\n usb_driver_claim_interface\n btusb_mtk_claim_iso_intf\n btusb_mtk_setup\n hci_dev_open_sync\n hci_power_on\n process_scheduled_works\n worker_thread\n kthread\n\nWith the above call trace the device lock hasn't been claimed. Claim\nit.\n\nWithout this fix, we'd sometimes see the error \"Failed to claim iso\ninterface\". Sometimes we'd even see worse errors, like a NULL pointer\ndereference (where `intf->dev.driver` was NULL) with a trace like:\n\n Call trace:\n usb_suspend_both\n usb_runtime_suspend\n __rpm_callback\n rpm_suspend\n pm_runtime_work\n process_scheduled_works\n\nBoth errors appear to be fixed with the proper locking."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/bluetooth/btusb.c"], "versions": [{"version": "ceac1cb0259de682d78f5c784ef8e0b13022e9d9", "lessThan": "930e1790b99e5839e1af69d2f7fd808f1fba2df9", "status": "affected", "versionType": "git"}, {"version": "ceac1cb0259de682d78f5c784ef8e0b13022e9d9", "lessThan": "4194766ec8756f4f654d595ae49962acbac49490", "status": "affected", "versionType": "git"}, {"version": "ceac1cb0259de682d78f5c784ef8e0b13022e9d9", "lessThan": "e9087e828827e5a5c85e124ce77503f2b81c3491", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/bluetooth/btusb.c"], "versions": [{"version": "6.11", "status": "affected"}, {"version": "0", "lessThan": "6.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.13", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.2", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/930e1790b99e5839e1af69d2f7fd808f1fba2df9"}, {"url": "https://git.kernel.org/stable/c/4194766ec8756f4f654d595ae49962acbac49490"}, {"url": "https://git.kernel.org/stable/c/e9087e828827e5a5c85e124ce77503f2b81c3491"}], "title": "Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()\n\nThe documentation for usb_driver_claim_interface() says that \"the\ndevice lock\" is needed when the function is called from places other\nthan probe(). This appears to be the lock for the USB interface\ndevice. The Mediatek btusb code gets called via this path:\n\n Workqueue: hci0 hci_power_on [bluetooth]\n Call trace:\n usb_driver_claim_interface\n btusb_mtk_claim_iso_intf\n btusb_mtk_setup\n hci_dev_open_sync\n hci_power_on\n process_scheduled_works\n worker_thread\n kthread\n\nWith the above call trace the device lock hasn't been claimed. Claim\nit.\n\nWithout this fix, we'd sometimes see the error \"Failed to claim iso\ninterface\". Sometimes we'd even see worse errors, like a NULL pointer\ndereference (where `intf->dev.driver` was NULL) with a trace like:\n\n Call trace:\n usb_suspend_both\n usb_runtime_suspend\n __rpm_callback\n rpm_suspend\n pm_runtime_work\n process_scheduled_works\n\nBoth errors appear to be fixed with the proper locking."}], "id": "CVE-2025-21827", "lastModified": "2025-03-06T16:15:54.967", "metrics": {}, "published": "2025-03-06T16:15:54.967", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4194766ec8756f4f654d595ae49962acbac49490"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/930e1790b99e5839e1af69d2f7fd808f1fba2df9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e9087e828827e5a5c85e124ce77503f2b81c3491"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()", "id": "2350395", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2350395"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-413", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()\nThe documentation for usb_driver_claim_interface() says that \"the\ndevice lock\" is needed when the function is called from places other\nthan probe(). This appears to be the lock for the USB interface\ndevice. The Mediatek btusb code gets called via this path:\nWorkqueue: hci0 hci_power_on [bluetooth]\nCall trace:\nusb_driver_claim_interface\nbtusb_mtk_claim_iso_intf\nbtusb_mtk_setup\nhci_dev_open_sync\nhci_power_on\nprocess_scheduled_works\nworker_thread\nkthread\nWith the above call trace the device lock hasn't been claimed. Claim\nit.\nWithout this fix, we'd sometimes see the error \"Failed to claim iso\ninterface\". Sometimes we'd even see worse errors, like a NULL pointer\ndereference (where `intf->dev.driver` was NULL) with a trace like:\nCall trace:\nusb_suspend_both\nusb_runtime_suspend\n__rpm_callback\nrpm_suspend\npm_runtime_work\nprocess_scheduled_works\nBoth errors appear to be fixed with the proper locking."], "name": "CVE-2025-21827", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21827\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21827\nhttps://lore.kernel.org/linux-cve-announce/2025030630-CVE-2025-21827-6735@gregkh/T"], "threat_severity": "Low"}