CVE-2025-22102

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btnxpuart: Fix kernel panic during FW release

This fixes a kernel panic seen during release FW in a stress test scenario where WLAN and BT FW download occurs simultaneously, and due to a HW bug, chip sends out only 1 bootloader signatures.

When driver receives the bootloader signature, it enters FW download mode, but since no consequtive bootloader signatures seen, FW file is not requested.

After 60 seconds, when FW download times out, release_firmware causes a kernel panic.

[ 2601.949184] Unable to handle kernel paging request at virtual address 0000312e6f006573 [ 2601.992076] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000111802000 [ 2601.992080] [0000312e6f006573] pgd=0000000000000000, p4d=0000000000000000 [ 2601.992087] Internal error: Oops: 0000000096000021 [#1] PREEMPT SMP [ 2601.992091] Modules linked in: algifhash algifskcipher afalg btnxpuart(O) pciexxx(O) mlan(O) overlay fsljruio caamjr caamkeyblobdesc caamhashdesc caamalgdesc cryptoengine authenc libdes crct10difce polyvalce sndsocfsleasrc sndsocfslasoccard imx8mediadev(C) sndsocfslmicfil polyvalgeneric sndsocfslxcvr sndsocfslsai sndsocimxaudmux sndsocfslasrc sndsocimxcard sndsocimxhdmi sndsocfslaud2htx sndsocfslutils imxpcmdma dwhdmicec flexcan candev [ 2602.001825] CPU: 2 PID: 20060 Comm: hciconfig Tainted: G C O 6.6.23-lts-next-06236-gb586a521770e #1 [ 2602.010182] Hardware name: NXP i.MX8MPlus EVK board (DT) [ 2602.010185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2602.010191] pc : rawspinlock+0x34/0x68 [ 2602.010201] lr : freefwpriv+0x20/0xfc [ 2602.020561] sp : ffff800089363b30 [ 2602.020563] x29: ffff800089363b30 x28: ffff0000d0eb5880 x27: 0000000000000000 [ 2602.020570] x26: 0000000000000000 x25: ffff0000d728b330 x24: 0000000000000000 [ 2602.020577] x23: ffff0000dc856f38 [ 2602.033797] x22: ffff800089363b70 x21: ffff0000dc856000 [ 2602.033802] x20: ff00312e6f006573 x19: ffff0000d0d9ea80 x18: 0000000000000000 [ 2602.033809] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaad80dd480 [ 2602.083320] x14: 0000000000000000 x13: 00000000000001b9 x12: 0000000000000002 [ 2602.083326] x11: 0000000000000000 x10: 0000000000000a60 x9 : ffff800089363a30 [ 2602.083333] x8 : ffff0001793d75c0 x7 : ffff0000d6dbc400 x6 : 0000000000000000 [ 2602.083339] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000001 [ 2602.083346] x2 : 0000000000000000 x1 : 0000000000000001 x0 : ff00312e6f006573 [ 2602.083354] Call trace: [ 2602.083356] _rawspinlock+0x34/0x68 [ 2602.083364] releasefirmware+0x48/0x6c [ 2602.083370] nxpsetup+0x3c4/0x540 [btnxpuart] [ 2602.083383] hcidevopensync+0xf0/0xa34 [ 2602.083391] hcidevopen+0xd8/0x178 [ 2602.083399] hcisockioctl+0x3b0/0x590 [ 2602.083405] sockdoioctl+0x60/0x118 [ 2602.083413] sockioctl+0x2f4/0x374 [ 2602.091430] _arm64sysioctl+0xac/0xf0 [ 2602.091437] invokesyscall+0x48/0x110 [ 2602.091445] el0svccommon.constprop.0+0xc0/0xe0 [ 2602.091452] doel0svc+0x1c/0x28 [ 2602.091457] el0svc+0x40/0xe4 [ 2602.091465] el0t64synchandler+0x120/0x12c [ 2602.091470] el0t64_sync+0x190/0x194