AZL-49980

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading

When unload the btnxpuart driver, its associated timer will be deleted. If the timer happens to be modified at this moment, it leads to the kernel call this timer even after the driver unloaded, resulting in kernel panic. Use timershutdownsync() instead of deltimersync() to prevent rearming.

panic log: Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP Modules linked in: algifhash algifskcipher afalg moal(O) mlan(O) crct10difce polyvalce polyvalgeneric sndsocimxcard sndsocfslasoccard sndsocimxaudmux mxcjpegencdec v4l2jpeg sndsocwm8962 sndsocfslmicfil sndsocfslsai flexcan sndsocfslutils ap130x rpmsgctrl imxpcmdma candev rpmsgchar pwmfan fuse [last unloaded: btnxpuart] CPU: 5 PID: 723 Comm: memtester Tainted: G O 6.6.23-lts-next-06207-g4aef2658ac28 #1 Hardware name: NXP i.MX95 19X19 board (DT) pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0xffff80007a2cf464 lr : calltimerfn.isra.0+0x24/0x80 ... Call trace: 0xffff80007a2cf464 __runtimers+0x234/0x280 runtimer_softirq+0x20/0x40 __do_softirq+0x100/0x26c ____dosoftirq+0x10/0x1c callonirqstack+0x24/0x4c dosoftirqownstack+0x1c/0x2c irqexitrcu+0xc0/0xdc el0interrupt+0x54/0xd8 __el0irqhandlercommon+0x18/0x24 el0t64irqhandler+0x10/0x1c el0t64irq+0x190/0x194 Code: ???????? ???????? ???????? ???????? (????????) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt SMP: stopping secondary CPUs Kernel Offset: disabled CPU features: 0x0,c0000000,40028143,1000721b Memory Limit: none ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---