CVE-2022-49555
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49555
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49555.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49555
- Downstream
- Related
- Published
- 2025-02-26T02:14:03Z
- Modified
- 2025-10-21T10:56:10.596637Z
- Summary
- Bluetooth: hci_qca: Use del_timer_sync() before freeing
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hciqca: Use deltimer_sync() before freeing
While looking at a crash report on a timer list being corrupted, which usually happens when a timer is freed while still active. This is commonly triggered by code calling deltimer() instead of deltimer_sync() just before freeing.
One possible culprit is the hci_qca driver, which does exactly that.
Eric mentioned that wakeretranstimer could be rearmed via the work queue, so also move the destruction of the work queue before deltimersync().
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/2717654ae022e6ea959a4b7b762702fe1a4690c2
- https://git.kernel.org/stable/c/37d17f63d085d601011964ade7371aeebeb6ed4b
- https://git.kernel.org/stable/c/4989bb03342941f2b730b37dfa38bce27b543661
- https://git.kernel.org/stable/c/72ef98445aca568a81c2da050532500a8345ad3a
- https://git.kernel.org/stable/c/db03727b4bbbbb36e6ef4cb655c670eefb6448e9
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0ff252c1976da5d80db1377eb39b551931e61826Fixed4989bb03342941f2b730b37dfa38bce27b543661
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0ff252c1976da5d80db1377eb39b551931e61826Fixeddb03727b4bbbbb36e6ef4cb655c670eefb6448e9
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0ff252c1976da5d80db1377eb39b551931e61826Fixed37d17f63d085d601011964ade7371aeebeb6ed4b
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0ff252c1976da5d80db1377eb39b551931e61826Fixed2717654ae022e6ea959a4b7b762702fe1a4690c2
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0ff252c1976da5d80db1377eb39b551931e61826Fixed72ef98445aca568a81c2da050532500a8345ad3a
Affected versions
v4.*
v4.10
v4.10-rc1
v4.10-rc2
v4.10-rc3
v4.10-rc4
v4.10-rc5
v4.10-rc6
v4.10-rc7
v4.10-rc8
v4.11
v4.11-rc1
v4.11-rc2
v4.11-rc3
v4.11-rc4
v4.11-rc5
v4.11-rc6
v4.11-rc7
v4.11-rc8
v4.12
v4.12-rc1
v4.12-rc2
v4.12-rc3
v4.12-rc4
v4.12-rc5
v4.12-rc6
v4.12-rc7
v4.13
v4.13-rc1
v4.13-rc2
v4.13-rc3
v4.13-rc4
v4.13-rc5
v4.13-rc6
v4.13-rc7
v4.14
v4.14-rc1
v4.14-rc2
v4.14-rc3
v4.14-rc4
v4.14-rc5
v4.14-rc6
v4.14-rc7
v4.14-rc8
v4.15
v4.15-rc1
v4.15-rc2
v4.15-rc3
v4.15-rc4
v4.15-rc5
v4.15-rc6
v4.15-rc7
v4.15-rc8
v4.15-rc9
v4.16
v4.16-rc1
v4.16-rc2
v4.16-rc3
v4.16-rc4
v4.16-rc5
v4.16-rc6
v4.16-rc7
v4.17
v4.17-rc1
v4.17-rc2
v4.17-rc3
v4.17-rc4
v4.17-rc5
v4.17-rc6
v4.17-rc7
v4.18
v4.18-rc1
v4.18-rc2
v4.18-rc3
v4.18-rc4
v4.18-rc5
v4.18-rc6
v4.18-rc7
v4.18-rc8
v4.19
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.2
v4.2-rc5
v4.2-rc6
v4.2-rc7
v4.2-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7
v4.3
v4.3-rc1
v4.3-rc2
v4.3-rc3
v4.3-rc4
v4.3-rc5
v4.3-rc6
v4.3-rc7
v4.4
v4.4-rc1
v4.4-rc2
v4.4-rc3
v4.4-rc4
v4.4-rc5
v4.4-rc6
v4.4-rc7
v4.4-rc8
v4.5
v4.5-rc1
v4.5-rc2
v4.5-rc3
v4.5-rc4
v4.5-rc5
v4.5-rc6
v4.5-rc7
v4.6
v4.6-rc1
v4.6-rc2
v4.6-rc3
v4.6-rc4
v4.6-rc5
v4.6-rc6
v4.6-rc7
v4.7
v4.7-rc1
v4.7-rc2
v4.7-rc3
v4.7-rc4
v4.7-rc5
v4.7-rc6
v4.7-rc7
v4.8
v4.8-rc1
v4.8-rc2
v4.8-rc3
v4.8-rc4
v4.8-rc5
v4.8-rc6
v4.8-rc7
v4.8-rc8
v4.9
v4.9-rc1
v4.9-rc2
v4.9-rc3
v4.9-rc4
v4.9-rc5
v4.9-rc6
v4.9-rc7
v4.9-rc8
v5.*
v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.10.1
v5.10.10
v5.10.100
v5.10.101
v5.10.102
v5.10.103
v5.10.104
v5.10.105
v5.10.106
v5.10.107
v5.10.108
v5.10.109
v5.10.11
v5.10.110
v5.10.111
v5.10.112
v5.10.113
v5.10.114
v5.10.115
v5.10.116
v5.10.117
v5.10.118
v5.10.119
v5.10.12
v5.10.13
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.20
v5.10.21
v5.10.22
v5.10.23
v5.10.24
v5.10.25
v5.10.26
v5.10.27
v5.10.28
v5.10.29
v5.10.3
v5.10.30
v5.10.31
v5.10.32
v5.10.33
v5.10.34
v5.10.35
v5.10.36
v5.10.37
v5.10.38
v5.10.39
v5.10.4
v5.10.40
v5.10.41
v5.10.42
v5.10.43
v5.10.44
v5.10.45
v5.10.46
v5.10.47
v5.10.48
v5.10.49
v5.10.5
v5.10.50
v5.10.51
v5.10.52
v5.10.53
v5.10.54
v5.10.55
v5.10.56
v5.10.57
v5.10.58
v5.10.59
v5.10.6
v5.10.60
v5.10.61
v5.10.62
v5.10.63
v5.10.64
v5.10.65
v5.10.66
v5.10.67
v5.10.68
v5.10.69
v5.10.7
v5.10.70
v5.10.71
v5.10.72
v5.10.73
v5.10.74
v5.10.75
v5.10.76
v5.10.77
v5.10.78
v5.10.79
v5.10.8
v5.10.80
v5.10.81
v5.10.82
v5.10.83
v5.10.84
v5.10.85
v5.10.86
v5.10.87
v5.10.88
v5.10.89
v5.10.9
v5.10.90
v5.10.91
v5.10.92
v5.10.93
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.10.99
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1
v5.17.10
v5.17.11
v5.17.12
v5.17.2
v5.17.3
v5.17.4
v5.17.5
v5.17.6
v5.17.7
v5.17.8
v5.17.9
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.18.1
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
Database specific
vanir_signatures
[
{
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4989bb03342941f2b730b37dfa38bce27b543661",
"id": "CVE-2022-49555-0cd96f96",
"signature_version": "v1",
"target": {
"file": "drivers/bluetooth/hci_qca.c"
},
"signature_type": "Line",
"digest": {
"line_hashes": [
"89576182324682455811084539690417044016",
"227735536535222409376081039047620694425",
"134392330128108354644327976121023571241",
"233634701649690411917672102623412915151",
"34618231214875223090457591245612085797",
"107849667433214136943309132040899516530"
],
"threshold": 0.9
}
},
{
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4989bb03342941f2b730b37dfa38bce27b543661",
"id": "CVE-2022-49555-143ef4e9",
"signature_version": "v1",
"target": {
"function": "qca_close",
"file": "drivers/bluetooth/hci_qca.c"
},
"signature_type": "Function",
"digest": {
"function_hash": "193787967229885238352705235135314366263",
"length": 479.0
}
},
{
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2717654ae022e6ea959a4b7b762702fe1a4690c2",
"id": "CVE-2022-49555-18dc32a8",
"signature_version": "v1",
"target": {
"function": "qca_close",
"file": "drivers/bluetooth/hci_qca.c"
},
"signature_type": "Function",
"digest": {
"function_hash": "193787967229885238352705235135314366263",
"length": 479.0
}
},
{
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@37d17f63d085d601011964ade7371aeebeb6ed4b",
"id": "CVE-2022-49555-3272e19f",
"signature_version": "v1",
"target": {
"file": "drivers/bluetooth/hci_qca.c"
},
"signature_type": "Line",
"digest": {
"line_hashes": [
"89576182324682455811084539690417044016",
"227735536535222409376081039047620694425",
"134392330128108354644327976121023571241",
"233634701649690411917672102623412915151",
"34618231214875223090457591245612085797",
"107849667433214136943309132040899516530"
],
"threshold": 0.9
}
},
{
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@db03727b4bbbbb36e6ef4cb655c670eefb6448e9",
"id": "CVE-2022-49555-401df768",
"signature_version": "v1",
"target": {
"function": "qca_close",
"file": "drivers/bluetooth/hci_qca.c"
},
"signature_type": "Function",
"digest": {
"function_hash": "193787967229885238352705235135314366263",
"length": 479.0
}
},
{
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@72ef98445aca568a81c2da050532500a8345ad3a",
"id": "CVE-2022-49555-510cc522",
"signature_version": "v1",
"target": {
"file": "drivers/bluetooth/hci_qca.c"
},
"signature_type": "Line",
"digest": {
"line_hashes": [
"89576182324682455811084539690417044016",
"227735536535222409376081039047620694425",
"134392330128108354644327976121023571241",
"233634701649690411917672102623412915151",
"34618231214875223090457591245612085797",
"107849667433214136943309132040899516530"
],
"threshold": 0.9
}
},
{
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@37d17f63d085d601011964ade7371aeebeb6ed4b",
"id": "CVE-2022-49555-5daca766",
"signature_version": "v1",
"target": {
"function": "qca_close",
"file": "drivers/bluetooth/hci_qca.c"
},
"signature_type": "Function",
"digest": {
"function_hash": "193787967229885238352705235135314366263",
"length": 479.0
}
},
{
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@72ef98445aca568a81c2da050532500a8345ad3a",
"id": "CVE-2022-49555-65a6df5f",
"signature_version": "v1",
"target": {
"function": "qca_close",
"file": "drivers/bluetooth/hci_qca.c"
},
"signature_type": "Function",
"digest": {
"function_hash": "193787967229885238352705235135314366263",
"length": 479.0
}
},
{
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2717654ae022e6ea959a4b7b762702fe1a4690c2",
"id": "CVE-2022-49555-674b5e80",
"signature_version": "v1",
"target": {
"file": "drivers/bluetooth/hci_qca.c"
},
"signature_type": "Line",
"digest": {
"line_hashes": [
"89576182324682455811084539690417044016",
"227735536535222409376081039047620694425",
"134392330128108354644327976121023571241",
"233634701649690411917672102623412915151",
"34618231214875223090457591245612085797",
"107849667433214136943309132040899516530"
],
"threshold": 0.9
}
},
{
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@db03727b4bbbbb36e6ef4cb655c670eefb6448e9",
"id": "CVE-2022-49555-ac13ff8b",
"signature_version": "v1",
"target": {
"file": "drivers/bluetooth/hci_qca.c"
},
"signature_type": "Line",
"digest": {
"line_hashes": [
"89576182324682455811084539690417044016",
"227735536535222409376081039047620694425",
"134392330128108354644327976121023571241",
"233634701649690411917672102623412915151",
"34618231214875223090457591245612085797",
"107849667433214136943309132040899516530"
],
"threshold": 0.9
}
}
]