lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6837167.ZASKD2KPVS@fedora.fritz.box>
Date: Tue, 21 Oct 2025 22:53:12 +0200
From: Francesco Valla <francesco@...la.it>
To: Calvin Owens <calvin@...nvd.org>, Marcel Holtmann <marcel@...tmann.org>,
 Luiz Augusto von Dentz <luiz.dentz@...il.com>,
 Paul Menzel <pmenzel@...gen.mpg.de>
Cc: linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org
Subject:
 [BUG] Erratic behavior in btnxpuart on v6.18-rc2 - and a possible solution

Hello,

while testing Bluetooth on my NXP i.MX93 FRDM, which is equipped with an IW612
Bluetooth chipset from NXP, I encountered an erratic bug during initialization.

While the firmware download always completed without errors, subsequent HCI
communication would fail most of the time with:

    Frame reassembly failed (-84)

After some debug, I found the culprit to be this patch that was integrated as
part of the current (v6.18) cycle:

    93f06f8f0daf Bluetooth: remove duplicate h4_recv_buf() in header [1]

The reason is simple: the h4_recv_buf() function from hci_h4.c, which is now
used instead the "duplicated" one in the (now removed) h4_recv_buf.h, assumes
that the private drvdata for the input struct hci_dev is a pointer to a
struct hci_uart, but that's not the case for the btnxpuart driver. In this
case, the information about padding and alignment are pretty random and
depend on the content of the data that was incorrectly casted as a
struct hci_uart.

The bug should impact also the other platforms that were touched by the
same patch. 

For the time being, I'd then propose to revert the commit.

Thank you

Regards,
Francesco Valla

[1] https://lore.kernel.org/linux-bluetooth/be8edf7f8ba8dea6c61272b02fb20a4ac7e1c5a5.1756179634.git.calvin@wbinvd.org/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ