CVE-2022-50166 Information
Description
In the Linux kernel the following vulnerability has been resolved:
Bluetooth: When HCI work queue is drained only queue chained work
The HCI command event and data packet processing workqueue is drained to avoid deadlock in commit 76727c02c1e1 (\Bluetooth: Call drain_workqueue() before resetting state).
There is another delayed work which will queue command to this drained workqueue. Which results in the following error report:
Bluetooth: hci2: command 0x040f tx timeout
WARNING: CPU: 1 PID: 18374 at kernel/workqueue.c:1438 __queue_work+0xdad/0x1140
Workqueue: events hci_cmd_timeout
RIP: 0010:__queue_work+0xdad/0x1140
RSP: 0000:ffffc90002cffc60 EFLAGS: 00010093
RAX: 0000000000000000 RBX: ffff8880b9d3ec00 RCX: 0000000000000000
RDX: ffff888024ba0000 RSI: ffffffff814e048d RDI: ffff8880b9d3ec08
RBP: 0000000000000008 R08: 0000000000000000 R09: 00000000b9d39700
R10: ffffffff814f73c6 R11: 0000000000000000 R12: ffff88807cce4c60
R13: 0000000000000000 R14: ffff8880796d8800 R15: ffff8880796d8800
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c0174b4000 CR3: 000000007cae9000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
To fix this we can add a new HCI_DRAIN_WQ flag and don’t queue the timeout workqueue while command workqueue is draining.
Reference
https://git.kernel.org/stable/c/3b382555706558f5c0587862b6dc03e96a252bba https://git.kernel.org/stable/c/4bf367fa1fefabdf14938d0ac9ed60020389112e https://git.kernel.org/stable/c/877afadad2dce8aae1f2aad8ce47e072d4f6165e
Related CNNVD
CNNVD-202506-2450 (Published: 2025-06-18)
Share on: