Bug 2373452 (CVE-2022-49968) - CVE-2022-49968 kernel: ieee802154/adf7242: defer destroy_workqueue call
Summary: CVE-2022-49968 kernel: ieee802154/adf7242: defer destroy_workqueue call
Keywords:
Status: NEW
Alias: CVE-2022-49968
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-18 12:03 UTC by OSIDB Bzimport
Modified: 2025-06-20 05:10 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-06-18 12:03:37 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ieee802154/adf7242: defer destroy_workqueue call

There is a possible race condition (use-after-free) like below

  (FREE)                     |  (USE)
  adf7242_remove             |  adf7242_channel
   cancel_delayed_work_sync  |
    destroy_workqueue (1)    |   adf7242_cmd_rx
                             |    mod_delayed_work (2)
                             |

The root cause for this race is that the upper layer (ieee802154) is
unaware of this detaching event and the function adf7242_channel can
be called without any checks.

To fix this, we can add a flag write at the beginning of adf7242_remove
and add flag check in adf7242_channel. Or we can just defer the
destructive operation like other commit 3e0588c291d6 ("hamradio: defer
ax25 kfree after unregister_netdev") which let the
ieee802154_unregister_hw() to handle the synchronization. This patch
takes the second option.

runs")
Comment 1 Avinash Hanwate 2025-06-20 05:02:01 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025061816-CVE-2022-49968-6e78@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.