CVE-2022-50833
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works
syzbot is reporting attempt to schedule hdev->cmd_work work from system_wq WQ into hdev->workqueue WQ which is under draining operation [1], for commit c8efcc2589464ac7 ("workqueue: allow chained queueing during destruction") does not allow such operation.
The check introduced by commit 877afadad2dce8aa ("Bluetooth: When HCI work queue is drained, only queue chained work") was incomplete.
Use hdev->workqueue WQ when queuing hdev->{cmd,ncmd}timer works because hci{cmd,ncmd}_timeout() calls queue_work(hdev->workqueue). Also, protect the queuing operation with RCU read lock in order to avoid calling queue_delayed_work() after cancel_delayed_work() completed.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 3b382555706558f5c0587862b6dc03e96a252bba < c4635cf3d845a7324c25c52d549b70c8bd7ad4c7 | affected |
| Linux | Linux | 877afadad2dce8aae1f2aad8ce47e072d4f6165e < 3c6b036fe5c8ed8b6c4cbdc03605929882907ef0 | affected |
| Linux | Linux | 877afadad2dce8aae1f2aad8ce47e072d4f6165e < deee93d13d385103205879a8a0915036ecd83261 | affected |
| Linux | Linux | 4bf367fa1fefabdf14938d0ac9ed60020389112e | affected |
| Linux | Linux | 5.19.2 < 5.19.15 | affected |
| Linux | Linux | 5.18.18 < 5.19 | affected |
| Linux | Linux | 6.0 | affected |
| Linux | Linux | 0 < 6.0 | unaffected |
| Linux | Linux | 5.19.15 <= 5.19.* | unaffected |
| Linux | Linux | 6.0.1 <= 6.0.* | unaffected |
| Linux | Linux | 6.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/c4635cf3d845a7324c25c52d549b70c8bd7ad4c7
- https://git.kernel.org/stable/c/3c6b036fe5c8ed8b6c4cbdc03605929882907ef0
- https://git.kernel.org/stable/c/deee93d13d385103205879a8a0915036ecd83261
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.