2.2 KiB
CVE-2024-58238
Description
In the Linux kernel, the following vulnerability has been resolved:Bluetooth: btnxpuart: Resolve TX timeout error in power save stress testThis fixes the tx timeout issue seen while running a stress test onbtnxpuart for couple of hours, such that the interval between two HCIcommands coincide with the power save timeout value of 2 seconds.Test procedure using bash script:hciconfig hci0 up//Enable Power Save featurehcitool -i hci0 cmd 3f 23 02 00 00while (true)do hciconfig hci0 leadv sleep 2 hciconfig hci0 noleadv sleep 2doneError log, after adding few more debug prints:Bluetooth: btnxpuart_queue_skb(): 01 0A 20 01 00Bluetooth: hci0: Set UART break: on, status=0Bluetooth: hci0: btnxpuart_tx_wakeup() tx_work scheduledBluetooth: hci0: btnxpuart_tx_work() dequeue: 01 0A 20 01 00Can't set advertise mode on hci0: Connection timed out (110)Bluetooth: hci0: command 0x200a tx timeoutWhen the power save mechanism turns on UART break, and btnxpuart_tx_work()is scheduled simultaneously, psdata->ps_state is read as PS_STATE_AWAKE,which prevents the psdata->work from being scheduled, which is responsibleto turn OFF UART break.This issue is fixed by adding a ps_lock mutex around UART break on/off aswell as around ps_state read/write.btnxpuart_tx_wakeup() will now read updated ps_state value. If ps_state isPS_STATE_SLEEP, it will first schedule psdata->work, and then it willreschedule itself once UART break has been turned off and ps_state isPS_STATE_AWAKE.Tested above script for 50,000 iterations and TX timeout error was notobserved anymore.
POC
Reference
No PoCs from references.