3.8 KiB
CVE-2025-22102
Description
In the Linux kernel, the following vulnerability has been resolved:Bluetooth: btnxpuart: Fix kernel panic during FW releaseThis fixes a kernel panic seen during release FW in a stress testscenario where WLAN and BT FW download occurs simultaneously, and due toa HW bug, chip sends out only 1 bootloader signatures.When driver receives the bootloader signature, it enters FW downloadmode, but since no consequtive bootloader signatures seen, FW file isnot requested.After 60 seconds, when FW download times out, release_firmware causes akernel panic.[ 2601.949184] Unable to handle kernel paging request at virtual address 0000312e6f006573[ 2601.992076] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000111802000[ 2601.992080] [0000312e6f006573] pgd=0000000000000000, p4d=0000000000000000[ 2601.992087] Internal error: Oops: 0000000096000021 [#1] PREEMPT SMP[ 2601.992091] Modules linked in: algif_hash algif_skcipher af_alg btnxpuart(O) pciexxx(O) mlan(O) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce snd_soc_fsl_easrc snd_soc_fsl_asoc_card imx8_media_dev(C) snd_soc_fsl_micfil polyval_generic snd_soc_fsl_xcvr snd_soc_fsl_sai snd_soc_imx_audmux snd_soc_fsl_asrc snd_soc_imx_card snd_soc_imx_hdmi snd_soc_fsl_aud2htx snd_soc_fsl_utils imx_pcm_dma dw_hdmi_cec flexcan can_dev[ 2602.001825] CPU: 2 PID: 20060 Comm: hciconfig Tainted: G C O 6.6.23-lts-next-06236-gb586a521770e #1[ 2602.010182] Hardware name: NXP i.MX8MPlus EVK board (DT)[ 2602.010185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)[ 2602.010191] pc : _raw_spin_lock+0x34/0x68[ 2602.010201] lr : free_fw_priv+0x20/0xfc[ 2602.020561] sp : ffff800089363b30[ 2602.020563] x29: ffff800089363b30 x28: ffff0000d0eb5880 x27: 0000000000000000[ 2602.020570] x26: 0000000000000000 x25: ffff0000d728b330 x24: 0000000000000000[ 2602.020577] x23: ffff0000dc856f38[ 2602.033797] x22: ffff800089363b70 x21: ffff0000dc856000[ 2602.033802] x20: ff00312e6f006573 x19: ffff0000d0d9ea80 x18: 0000000000000000[ 2602.033809] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaad80dd480[ 2602.083320] x14: 0000000000000000 x13: 00000000000001b9 x12: 0000000000000002[ 2602.083326] x11: 0000000000000000 x10: 0000000000000a60 x9 : ffff800089363a30[ 2602.083333] x8 : ffff0001793d75c0 x7 : ffff0000d6dbc400 x6 : 0000000000000000[ 2602.083339] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000001[ 2602.083346] x2 : 0000000000000000 x1 : 0000000000000001 x0 : ff00312e6f006573[ 2602.083354] Call trace:[ 2602.083356] _raw_spin_lock+0x34/0x68[ 2602.083364] release_firmware+0x48/0x6c[ 2602.083370] nxp_setup+0x3c4/0x540 [btnxpuart][ 2602.083383] hci_dev_open_sync+0xf0/0xa34[ 2602.083391] hci_dev_open+0xd8/0x178[ 2602.083399] hci_sock_ioctl+0x3b0/0x590[ 2602.083405] sock_do_ioctl+0x60/0x118[ 2602.083413] sock_ioctl+0x2f4/0x374[ 2602.091430] __arm64_sys_ioctl+0xac/0xf0[ 2602.091437] invoke_syscall+0x48/0x110[ 2602.091445] el0_svc_common.constprop.0+0xc0/0xe0[ 2602.091452] do_el0_svc+0x1c/0x28[ 2602.091457] el0_svc+0x40/0xe4[ 2602.091465] el0t_64_sync_handler+0x120/0x12c[ 2602.091470] el0t_64_sync+0x190/0x194
POC
Reference
No PoCs from references.