CVE-2024-46680

1) modprobe btnxpuart 2) hciconfig hci0 reset 3) hciconfig (check hci0 interface up with valid BD address) 4) modprobe -r btnxpuart Repeat steps 1 to 4

The pswakeup() call in btnxpuartclose() schedules the psdata->work(), which gets scheduled after module is removed, causing a kernel crash.

This hidden issue got highlighted after enabling Power Save by default in 4183a7be7700 (Bluetooth: btnxpuart: Enable Power Save feature on startup)

The new pscleanup() deasserts UART break immediately while closing serdev device, cancels any scheduled pswork and destroys the ps_lock mutex.

[ 85.884604] Unable to handle kernel paging request at virtual address ffffd4a61638f258 [ 85.884624] Mem abort info: [ 85.884625] ESR = 0x0000000086000007 [ 85.884628] EC = 0x21: IABT (current EL), IL = 32 bits [ 85.884633] SET = 0, FnV = 0 [ 85.884636] EA = 0, S1PTW = 0 [ 85.884638] FSC = 0x07: level 3 translation fault [ 85.884642] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041dd0000 [ 85.884646] [ffffd4a61638f258] pgd=1000000095fff003, p4d=1000000095fff003, pud=100000004823d003, pmd=100000004823e003, pte=0000000000000000 [ 85.884662] Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP [ 85.890932] Modules linked in: algifhash algifskcipher afalg overlay fsljruio caamjr caamkeyblobdesc caamhashdesc caamalgdesc cryptoengine authenc libdes crct10difce polyvalce polyvalgeneric sndsocimxspdif sndsocimxcard sndsocak5558 sndsocak4458 caam secvio error sndsocfslspdif sndsocfslmicfil sndsocfslsai sndsocfslutils gpioirrecv rccore fuse [last unloaded: btnxpuart(O)] [ 85.927297] CPU: 1 PID: 67 Comm: kworker/1:3 Tainted: G O 6.1.36+g937b1be4345a #1 [ 85.936176] Hardware name: FSL i.MX8MM EVK board (DT) [ 85.936182] Workqueue: events 0xffffd4a61638f380 [ 85.936198] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 85.952817] pc : 0xffffd4a61638f258 [ 85.952823] lr : 0xffffd4a61638f258 [ 85.952827] sp : ffff8000084fbd70 [ 85.952829] x29: ffff8000084fbd70 x28: 0000000000000000 x27: 0000000000000000 [ 85.963112] x26: ffffd4a69133f000 x25: ffff4bf1c8540990 x24: ffff4bf215b87305 [ 85.963119] x23: ffff4bf215b87300 x22: ffff4bf1c85409d0 x21: ffff4bf1c8540970 [ 85.977382] x20: 0000000000000000 x19: ffff4bf1c8540880 x18: 0000000000000000 [ 85.977391] x17: 0000000000000000 x16: 0000000000000133 x15: 0000ffffe2217090 [ 85.977399] x14: 0000000000000001 x13: 0000000000000133 x12: 0000000000000139 [ 85.977407] x11: 0000000000000001 x10: 0000000000000a60 x9 : ffff8000084fbc50 [ 85.977417] x8 : ffff4bf215b7d000 x7 : ffff4bf215b83b40 x6 : 00000000000003e8 [ 85.977424] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000000 [ 85.977432] x2 : 0000000000000000 x1 : ffff4bf1c4265880 x0 : 0000000000000000 [ 85.977443] Call trace: [ 85.977446] 0xffffd4a61638f258 [ 85.977451] 0xffffd4a61638f3e8 [ 85.977455] processonework+0x1d4/0x330 [ 85.977464] workerthread+0x6c/0x430 [ 85.977471] kthread+0x108/0x10c [ 85.977476] retfrom_fork+0x10/0x20 [ 85.977488] Code: bad PC value [ 85.977491] ---[ end trace 0000000000000000 ]---

Preset since v6.9.11

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

86d55f124b52de2ba0d066d89b766bcc0387fd72

Fixed

662a55986b88807da4d112d838c8aaa05810e938

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

86d55f124b52de2ba0d066d89b766bcc0387fd72

Fixed

29a1d9971e38f92c84b363ff50379dd434ddfe1c

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

86d55f124b52de2ba0d066d89b766bcc0387fd72

Fixed

35237475384ab3622f63c3c09bdf6af6dacfe9c3

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.10.1

v6.10.2

v6.10.3

v6.10.4

v6.10.5

v6.10.6

v6.10.7

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.3

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.4

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "id": "CVE-2024-46680-14b8d695",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "drivers/bluetooth/btnxpuart.c"
        },
        "digest": {
            "line_hashes": [
                "127685873369464699161886164648674432585",
                "268383458813057678594118719487922633085",
                "1976822336232193819751208415150402979",
                "55046832534831995989221317731201907165",
                "117664402757238887516442083393045586607",
                "158025789800101812746492178601909684099",
                "249798117636985608896890797559087206238",
                "104841819220910763286646852370051468157",
                "283115478844741826488664687932095784719",
                "260077926404970704224678948625740071262",
                "193801320687094171135754046126094476819",
                "110702573783761298861145687555447666765"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@662a55986b88807da4d112d838c8aaa05810e938"
    },
    {
        "id": "CVE-2024-46680-1e6e4739",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "drivers/bluetooth/btnxpuart.c",
            "function": "nxp_serdev_remove"
        },
        "digest": {
            "function_hash": "266889364007100822010429628297840646784",
            "length": 549.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@29a1d9971e38f92c84b363ff50379dd434ddfe1c"
    },
    {
        "id": "CVE-2024-46680-27a5ab07",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "drivers/bluetooth/btnxpuart.c",
            "function": "nxp_serdev_remove"
        },
        "digest": {
            "function_hash": "266889364007100822010429628297840646784",
            "length": 549.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@662a55986b88807da4d112d838c8aaa05810e938"
    },
    {
        "id": "CVE-2024-46680-a3094b61",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "drivers/bluetooth/btnxpuart.c",
            "function": "btnxpuart_close"
        },
        "digest": {
            "function_hash": "221098126532787430364733056312835537678",
            "length": 274.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@29a1d9971e38f92c84b363ff50379dd434ddfe1c"
    },
    {
        "id": "CVE-2024-46680-adde9e7e",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "drivers/bluetooth/btnxpuart.c",
            "function": "btnxpuart_close"
        },
        "digest": {
            "function_hash": "264238230196597472804273589687625803060",
            "length": 314.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35237475384ab3622f63c3c09bdf6af6dacfe9c3"
    },
    {
        "id": "CVE-2024-46680-b73d8c4f",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "drivers/bluetooth/btnxpuart.c"
        },
        "digest": {
            "line_hashes": [
                "127685873369464699161886164648674432585",
                "268383458813057678594118719487922633085",
                "1976822336232193819751208415150402979",
                "55046832534831995989221317731201907165",
                "117664402757238887516442083393045586607",
                "158025789800101812746492178601909684099",
                "14385585631574038003242846235105626448",
                "104841819220910763286646852370051468157",
                "283115478844741826488664687932095784719",
                "260077926404970704224678948625740071262",
                "193801320687094171135754046126094476819",
                "110702573783761298861145687555447666765"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35237475384ab3622f63c3c09bdf6af6dacfe9c3"
    },
    {
        "id": "CVE-2024-46680-c320ed68",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "drivers/bluetooth/btnxpuart.c",
            "function": "btnxpuart_close"
        },
        "digest": {
            "function_hash": "221098126532787430364733056312835537678",
            "length": 274.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@662a55986b88807da4d112d838c8aaa05810e938"
    },
    {
        "id": "CVE-2024-46680-ccce2c2a",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "drivers/bluetooth/btnxpuart.c"
        },
        "digest": {
            "line_hashes": [
                "127685873369464699161886164648674432585",
                "268383458813057678594118719487922633085",
                "1976822336232193819751208415150402979",
                "55046832534831995989221317731201907165",
                "117664402757238887516442083393045586607",
                "158025789800101812746492178601909684099",
                "249798117636985608896890797559087206238",
                "104841819220910763286646852370051468157",
                "283115478844741826488664687932095784719",
                "260077926404970704224678948625740071262",
                "193801320687094171135754046126094476819",
                "110702573783761298861145687555447666765"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@29a1d9971e38f92c84b363ff50379dd434ddfe1c"
    },
    {
        "id": "CVE-2024-46680-dc70ac47",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "drivers/bluetooth/btnxpuart.c",
            "function": "nxp_serdev_remove"
        },
        "digest": {
            "function_hash": "266889364007100822010429628297840646784",
            "length": 549.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35237475384ab3622f63c3c09bdf6af6dacfe9c3"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4.0

Fixed

6.6.49

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.10.8