Bug 1223667 (CVE-2024-26959)

Summary: VUL-0: CVE-2024-26959: kernel: Bluetooth: btnxpuart: Fix btnxpuart_close
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gabriele.sonnu, vasant.karasulli
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/403728/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-26959:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-02 08:30:12 UTC 
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btnxpuart: Fix btnxpuart_close

Fix scheduling while atomic BUG in btnxpuart_close(), properly
purge the transmit queue and free the receive skb.

[   10.973809] BUG: scheduling while atomic: kworker/u9:0/80/0x00000002
...
[   10.980740] CPU: 3 PID: 80 Comm: kworker/u9:0 Not tainted 6.8.0-rc7-0.0.0-devel-00005-g61fdfceacf09 #1
[   10.980751] Hardware name: Toradex Verdin AM62 WB on Dahlia Board (DT)
[   10.980760] Workqueue: hci0 hci_power_off [bluetooth]
[   10.981169] Call trace:
...
[   10.981363]  uart_update_mctrl+0x58/0x78
[   10.981373]  uart_dtr_rts+0x104/0x114
[   10.981381]  tty_port_shutdown+0xd4/0xdc
[   10.981396]  tty_port_close+0x40/0xbc
[   10.981407]  uart_close+0x34/0x9c
[   10.981414]  ttyport_close+0x50/0x94
[   10.981430]  serdev_device_close+0x40/0x50
[   10.981442]  btnxpuart_close+0x24/0x98 [btnxpuart]
[   10.981469]  hci_dev_close_sync+0x2d8/0x718 [bluetooth]
[   10.981728]  hci_dev_do_close+0x2c/0x70 [bluetooth]
[   10.981862]  hci_power_off+0x20/0x64 [bluetooth]

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26959
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-26959.mbox
https://git.kernel.org/stable/c/d4e2365b07f1ae1f811a915b514caef5b2d6581e
https://git.kernel.org/stable/c/586e099c93fe26b7bd40593979532f507ed9f6a4
https://git.kernel.org/stable/c/74bcf708775c405f7fb6ed776ccd3e1957f38a52
https://git.kernel.org/stable/c/664130c0b0309b360bc5bdd40a30604a9387bde8
https://www.cve.org/CVERecord?id=CVE-2024-26959
https://bugzilla.redhat.com/show_bug.cgi?id=2278180
Comment 14 Andrea Mattiazzo 2024-06-10 10:22:22 UTC 
All done, closing.