CVE-2025-22102

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: btnxpuart: Fix kernel panic during FW release<br /> <br /> This fixes a kernel panic seen during release FW in a stress test<br /> scenario where WLAN and BT FW download occurs simultaneously, and due to<br /> a HW bug, chip sends out only 1 bootloader signatures.<br /> <br /> When driver receives the bootloader signature, it enters FW download<br /> mode, but since no consequtive bootloader signatures seen, FW file is<br /> not requested.<br /> <br /> After 60 seconds, when FW download times out, release_firmware causes a<br /> kernel panic.<br /> <br /> [ 2601.949184] Unable to handle kernel paging request at virtual address 0000312e6f006573<br /> [ 2601.992076] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000111802000<br /> [ 2601.992080] [0000312e6f006573] pgd=0000000000000000, p4d=0000000000000000<br /> [ 2601.992087] Internal error: Oops: 0000000096000021 [#1] PREEMPT SMP<br /> [ 2601.992091] Modules linked in: algif_hash algif_skcipher af_alg btnxpuart(O) pciexxx(O) mlan(O) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce snd_soc_fsl_easrc snd_soc_fsl_asoc_card imx8_media_dev(C) snd_soc_fsl_micfil polyval_generic snd_soc_fsl_xcvr snd_soc_fsl_sai snd_soc_imx_audmux snd_soc_fsl_asrc snd_soc_imx_card snd_soc_imx_hdmi snd_soc_fsl_aud2htx snd_soc_fsl_utils imx_pcm_dma dw_hdmi_cec flexcan can_dev<br /> [ 2602.001825] CPU: 2 PID: 20060 Comm: hciconfig Tainted: G C O 6.6.23-lts-next-06236-gb586a521770e #1<br /> [ 2602.010182] Hardware name: NXP i.MX8MPlus EVK board (DT)<br /> [ 2602.010185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 2602.010191] pc : _raw_spin_lock+0x34/0x68<br /> [ 2602.010201] lr : free_fw_priv+0x20/0xfc<br /> [ 2602.020561] sp : ffff800089363b30<br /> [ 2602.020563] x29: ffff800089363b30 x28: ffff0000d0eb5880 x27: 0000000000000000<br /> [ 2602.020570] x26: 0000000000000000 x25: ffff0000d728b330 x24: 0000000000000000<br /> [ 2602.020577] x23: ffff0000dc856f38<br /> [ 2602.033797] x22: ffff800089363b70 x21: ffff0000dc856000<br /> [ 2602.033802] x20: ff00312e6f006573 x19: ffff0000d0d9ea80 x18: 0000000000000000<br /> [ 2602.033809] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaad80dd480<br /> [ 2602.083320] x14: 0000000000000000 x13: 00000000000001b9 x12: 0000000000000002<br /> [ 2602.083326] x11: 0000000000000000 x10: 0000000000000a60 x9 : ffff800089363a30<br /> [ 2602.083333] x8 : ffff0001793d75c0 x7 : ffff0000d6dbc400 x6 : 0000000000000000<br /> [ 2602.083339] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000001<br /> [ 2602.083346] x2 : 0000000000000000 x1 : 0000000000000001 x0 : ff00312e6f006573<br /> [ 2602.083354] Call trace:<br /> [ 2602.083356] _raw_spin_lock+0x34/0x68<br /> [ 2602.083364] release_firmware+0x48/0x6c<br /> [ 2602.083370] nxp_setup+0x3c4/0x540 [btnxpuart]<br /> [ 2602.083383] hci_dev_open_sync+0xf0/0xa34<br /> [ 2602.083391] hci_dev_open+0xd8/0x178<br /> [ 2602.083399] hci_sock_ioctl+0x3b0/0x590<br /> [ 2602.083405] sock_do_ioctl+0x60/0x118<br /> [ 2602.083413] sock_ioctl+0x2f4/0x374<br /> [ 2602.091430] __arm64_sys_ioctl+0xac/0xf0<br /> [ 2602.091437] invoke_syscall+0x48/0x110<br /> [ 2602.091445] el0_svc_common.constprop.0+0xc0/0xe0<br /> [ 2602.091452] do_el0_svc+0x1c/0x28<br /> [ 2602.091457] el0_svc+0x40/0xe4<br /> [ 2602.091465] el0t_64_sync_handler+0x120/0x12c<br /> [ 2602.091470] el0t_64_sync+0x190/0x194