2426258 – (CVE-2022-50833) CVE-2022-50833 kernel: Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works

Bug 2426258 (CVE-2022-50833) - CVE-2022-50833 kernel: Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works

Summary: CVE-2022-50833 kernel: Bluetooth: use hdev->workqueue when queuing hdev->{cmd...

Keywords:
Status:	NEW
Alias:	CVE-2022-50833
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-30 13:19 UTC by OSIDB Bzimport
Modified:	2025-12-31 11:00 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-30 13:19:56 UTC

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works

syzbot is reporting attempt to schedule hdev->cmd_work work from system_wq
WQ into hdev->workqueue WQ which is under draining operation [1], for
commit c8efcc2589464ac7 ("workqueue: allow chained queueing during
destruction") does not allow such operation.

The check introduced by commit 877afadad2dce8aa ("Bluetooth: When HCI work
queue is drained, only queue chained work") was incomplete.

Use hdev->workqueue WQ when queuing hdev->{cmd,ncmd}_timer works because
hci_{cmd,ncmd}_timeout() calls queue_work(hdev->workqueue). Also, protect
the queuing operation with RCU read lock in order to avoid calling
queue_delayed_work() after cancel_delayed_work() completed.

Comment 1 Alexander B 2025-12-30 21:30:30 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025123017-CVE-2022-50833-92af@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.