CVE-2022-50339

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev()<br /> <br /> syzbot is again reporting attempt to cancel uninitialized work<br /> at mgmt_index_removed() [1], for setting of HCI_MGMT flag from<br /> mgmt_init_hdev() from hci_mgmt_cmd() from hci_sock_sendmsg() can<br /> race with testing of HCI_MGMT flag from mgmt_index_removed() from<br /> hci_sock_bind() due to lack of serialization via hci_dev_lock().<br /> <br /> Since mgmt_init_hdev() is called with mgmt_chan_list_lock held, we can<br /> safely split hci_dev_test_and_set_flag() into hci_dev_test_flag() and<br /> hci_dev_set_flag(). Thus, in order to close this race, set HCI_MGMT flag<br /> after INIT_DELAYED_WORK() completed.<br /> <br /> This is a local fix based on mgmt_chan_list_lock. Lack of serialization<br /> via hci_dev_lock() might be causing different race conditions somewhere<br /> else. But a global fix based on hci_dev_lock() should deserve a future<br /> patch.