CVE-2022-50833

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: use hdev-&gt;workqueue when queuing hdev-&gt;{cmd,ncmd}_timer works<br /> <br /> syzbot is reporting attempt to schedule hdev-&gt;cmd_work work from system_wq<br /> WQ into hdev-&gt;workqueue WQ which is under draining operation [1], for<br /> commit c8efcc2589464ac7 ("workqueue: allow chained queueing during<br /> destruction") does not allow such operation.<br /> <br /> The check introduced by commit 877afadad2dce8aa ("Bluetooth: When HCI work<br /> queue is drained, only queue chained work") was incomplete.<br /> <br /> Use hdev-&gt;workqueue WQ when queuing hdev-&gt;{cmd,ncmd}_timer works because<br /> hci_{cmd,ncmd}_timeout() calls queue_work(hdev-&gt;workqueue). Also, protect<br /> the queuing operation with RCU read lock in order to avoid calling<br /> queue_delayed_work() after cancel_delayed_work() completed.