CVE-2022-50833

Summary

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works

syzbot is reporting attempt to schedule hdev->cmd_work work from system_wq WQ into hdev->workqueue WQ which is under draining operation [1], for commit c8efcc2589464ac7 ("workqueue: allow chained queueing during destruction") does not allow such operation.

The check introduced by commit 877afadad2dce8aa ("Bluetooth: When HCI work queue is drained, only queue chained work") was incomplete.

Use hdev->workqueue WQ when queuing hdev->{cmd,ncmd}timer works because hci{cmd,ncmd}_timeout() calls queue_work(hdev->workqueue). Also, protect the queuing operation with RCU read lock in order to avoid calling queue_delayed_work() after cancel_delayed_work() completed.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux3b382555706558f5c0587862b6dc03e96a252bba < c4635cf3d845a7324c25c52d549b70c8bd7ad4c7affected
LinuxLinux877afadad2dce8aae1f2aad8ce47e072d4f6165e < 3c6b036fe5c8ed8b6c4cbdc03605929882907ef0affected
LinuxLinux877afadad2dce8aae1f2aad8ce47e072d4f6165e < deee93d13d385103205879a8a0915036ecd83261affected
LinuxLinux4bf367fa1fefabdf14938d0ac9ed60020389112eaffected
LinuxLinux5.19.2 < 5.19.15affected
LinuxLinux5.18.18 < 5.19affected
LinuxLinux6.0affected
LinuxLinux0 < 6.0unaffected
LinuxLinux5.19.15 <= 5.19.*unaffected
LinuxLinux6.0.1 <= 6.0.*unaffected
LinuxLinux6.1 <= *unaffected

Weaknesses

References