Linux powers billions of devices, from cloud servers to embedded electronics. However, even the tiniest vulnerability in the kernel can lead to instability or security risks—especially with hardware drivers. Let’s look closely at CVE-2024-26959, a bug in the Linux kernel's Bluetooth stack, specifically within the btnxpuart driver. We'll explain what happened, why it's a problem, examine the fixed code, and discuss its exploit potential.
What is CVE-2024-26959?
*CVE-2024-26959* is a vulnerability in the Linux kernel Bluetooth subsystem introduced through the btnxpuart serial driver. In certain situations, a scheduling while atomic bug occurs during Bluetooth device shutdown, causing instability or even potential denial-of-service (DoS).
Root Cause
Within the btnxpuart_close() function (called when a Bluetooth UART device is closed), kernel developers found code that purges transmit queues and frees buffers *while the code path is running in an atomic context*. This is unsafe: some functions called from that point can *sleep*, but you can’t sleep when atomic. The bug triggers a warning:
[ 10.973809] BUG: scheduling while atomic: kworker/u9:/80/x00000002
This means the kernel detected an illegal context switch, something that often leads to instability, panics, or worse if left unchecked.
Example Call Trace
[ 10.980740] CPU: 3 PID: 80 Comm: kworker/u9: Not tainted 6.8.-rc7-..-devel-00005-g61fdfceacf09 #1
[ 10.980760] Workqueue: hci hci_power_off [bluetooth]
[ 10.981442] btnxpuart_close+x24/x98 [btnxpuart]
Affected Versions
- Linux 6.8.-rc7 (and possibly earlier/later development builds before the fix)
Understanding the Fix
The core problem was that btnxpuart_close() was calling functions that may sleep while holding locks that disallow it. The fix ensures the transmit queue is properly purged and the receive buffer is securely freed outside the atomic context, using safe locking.
Vulnerable code example
static void btnxpuart_close(struct hci_dev *hdev)
{
struct btnxpuart_info *info = hci_get_drvdata(hdev);
/* ... */
// Not safe: Can sleep while atomic!
skb_queue_purge(&info->txq);
if (info->rx_skb)
kfree_skb(info->rx_skb);
/* ... */
}
Here, skb_queue_purge() and kfree_skb() might sleep or otherwise conflict with atomic-lock rules.
Safe fixed version
static void btnxpuart_close(struct hci_dev *hdev)
{
struct btnxpuart_info *info = hci_get_drvdata(hdev);
/* ... */
// Use local variable to safely handle the queue
struct sk_buff *skb;
// Purge transmit queue safely
while ((skb = skb_dequeue(&info->txq))) {
kfree_skb(skb);
}
// Free any remaining received buffer
skb = xchg(&info->rx_skb, NULL);
if (skb)
kfree_skb(skb);
/* ... */
}
This refactor prevents any sleeping operations inside atomic context, making the function safe for all kernel code paths.
While CVE-2024-26959 is not a typical privilege escalation bug, it is still dangerous
- Denial of Service (DoS): Malicious or buggy userland code (normally via Bluetooth user operations) could trigger these code paths, crashing the worker queue handling Bluetooth power off. This could lead to kernel panics or device instability.
- Embedded risk: Devices like IoT boards (e.g., Toradex Verdin AM62) could suffer repeated reboots or lockups, critical for remote or unattended deployments.
Anyone using the Linux kernel with btnxpuart Bluetooth hardware
- Embedded/industrial boards likely to use this driver for Bluetooth connectivity
Check for the Bug
- Review system logs (dmesg, journalctl -k) for “BUG: scheduling while atomic” and Bluetooth/btnxpuart mentions.
Upgrade Path
This vulnerability is fixed in upstream Linux kernel patches. Distributions shipping 6.8+ should pick up the fix soon. Users compiling their own kernels on affected hardware should pull the latest mainline or the relevant stable patch.
Original Commit (kernel.org):
Bluetooth: btnxpuart: Fix scheduling while atomic in btnxpuart_close
Linux Bluetooth Mailing List Post:
https://lore.kernel.org/linux-bluetooth/Zd-j7h8TK6Q9zIRL@google.com/
CVE Details:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26959
Final Words
While not a high-profile security hole, CVE-2024-26959 demonstrates why driver-level bugs matter, even in low-level hardware paths like Bluetooth UART. Especially for embedded system developers and system integrators, staying up to date with kernel fixes is vital—not only for security, but also for device stability and reliability.
If you ship products with Linux Bluetooth UART support, patch your kernels today!
#### *This article is exclusive, researched and written for this post only. If you found this useful, let others know about the importance of reviewing and patching even “small” kernel bugs.*
Timeline
Published on: 05/01/2024 06:15:12 UTC
Last modified on: 09/18/2025 14:09:48 UTC