{"id":"CVE-2025-22102","summary":"Bluetooth: btnxpuart: Fix kernel panic during FW release","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btnxpuart: Fix kernel panic during FW release\n\nThis fixes a kernel panic seen during release FW in a stress test\nscenario where WLAN and BT FW download occurs simultaneously, and due to\na HW bug, chip sends out only 1 bootloader signatures.\n\nWhen driver receives the bootloader signature, it enters FW download\nmode, but since no consequtive bootloader signatures seen, FW file is\nnot requested.\n\nAfter 60 seconds, when FW download times out, release_firmware causes a\nkernel panic.\n\n[ 2601.949184] Unable to handle kernel paging request at virtual address 0000312e6f006573\n[ 2601.992076] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000111802000\n[ 2601.992080] [0000312e6f006573] pgd=0000000000000000, p4d=0000000000000000\n[ 2601.992087] Internal error: Oops: 0000000096000021 [#1] PREEMPT SMP\n[ 2601.992091] Modules linked in: algif_hash algif_skcipher af_alg btnxpuart(O) pciexxx(O) mlan(O) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce snd_soc_fsl_easrc snd_soc_fsl_asoc_card imx8_media_dev(C) snd_soc_fsl_micfil polyval_generic snd_soc_fsl_xcvr snd_soc_fsl_sai snd_soc_imx_audmux snd_soc_fsl_asrc snd_soc_imx_card snd_soc_imx_hdmi snd_soc_fsl_aud2htx snd_soc_fsl_utils imx_pcm_dma dw_hdmi_cec flexcan can_dev\n[ 2602.001825] CPU: 2 PID: 20060 Comm: hciconfig Tainted: G         C O       6.6.23-lts-next-06236-gb586a521770e #1\n[ 2602.010182] Hardware name: NXP i.MX8MPlus EVK board (DT)\n[ 2602.010185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 2602.010191] pc : _raw_spin_lock+0x34/0x68\n[ 2602.010201] lr : free_fw_priv+0x20/0xfc\n[ 2602.020561] sp : ffff800089363b30\n[ 2602.020563] x29: ffff800089363b30 x28: ffff0000d0eb5880 x27: 0000000000000000\n[ 2602.020570] x26: 0000000000000000 x25: ffff0000d728b330 x24: 0000000000000000\n[ 2602.020577] x23: ffff0000dc856f38\n[ 2602.033797] x22: ffff800089363b70 x21: ffff0000dc856000\n[ 2602.033802] x20: ff00312e6f006573 x19: ffff0000d0d9ea80 x18: 0000000000000000\n[ 2602.033809] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaad80dd480\n[ 2602.083320] x14: 0000000000000000 x13: 00000000000001b9 x12: 0000000000000002\n[ 2602.083326] x11: 0000000000000000 x10: 0000000000000a60 x9 : ffff800089363a30\n[ 2602.083333] x8 : ffff0001793d75c0 x7 : ffff0000d6dbc400 x6 : 0000000000000000\n[ 2602.083339] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000001\n[ 2602.083346] x2 : 0000000000000000 x1 : 0000000000000001 x0 : ff00312e6f006573\n[ 2602.083354] Call trace:\n[ 2602.083356]  _raw_spin_lock+0x34/0x68\n[ 2602.083364]  release_firmware+0x48/0x6c\n[ 2602.083370]  nxp_setup+0x3c4/0x540 [btnxpuart]\n[ 2602.083383]  hci_dev_open_sync+0xf0/0xa34\n[ 2602.083391]  hci_dev_open+0xd8/0x178\n[ 2602.083399]  hci_sock_ioctl+0x3b0/0x590\n[ 2602.083405]  sock_do_ioctl+0x60/0x118\n[ 2602.083413]  sock_ioctl+0x2f4/0x374\n[ 2602.091430]  __arm64_sys_ioctl+0xac/0xf0\n[ 2602.091437]  invoke_syscall+0x48/0x110\n[ 2602.091445]  el0_svc_common.constprop.0+0xc0/0xe0\n[ 2602.091452]  do_el0_svc+0x1c/0x28\n[ 2602.091457]  el0_svc+0x40/0xe4\n[ 2602.091465]  el0t_64_sync_handler+0x120/0x12c\n[ 2602.091470]  el0t_64_sync+0x190/0x194","modified":"2026-04-02T12:45:21.489018Z","published":"2025-04-16T14:12:51.482Z","related":["SUSE-SU-2025:01614-1","SUSE-SU-2025:01707-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:01972-1","SUSE-SU-2025:20343-1","SUSE-SU-2025:20344-1","SUSE-SU-2025:20354-1","SUSE-SU-2025:20355-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22102.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1f77c05408c96bc0b58ae476a9cadc9e5b9cfd0f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6749cf49eff7ce6dadcb603c5c8db70b28079a5d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a0a736d9857cadd87ae48b151d787e28954ea831"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d22496de5049d9b8f5b6d8623682a56b3c3d7e18"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22102.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22102"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"689ca16e523278470c38832a3010645a78c544d8"},{"fixed":"a0a736d9857cadd87ae48b151d787e28954ea831"},{"fixed":"d22496de5049d9b8f5b6d8623682a56b3c3d7e18"},{"fixed":"6749cf49eff7ce6dadcb603c5c8db70b28079a5d"},{"fixed":"1f77c05408c96bc0b58ae476a9cadc9e5b9cfd0f"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22102.json"}}],"schema_version":"1.7.5"}