CVE-2022-50166
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-50166
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50166.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-50166
- Downstream
- Related
- Published
- 2025-06-18T11:03:20Z
- Modified
- 2025-10-21T12:24:45.130025Z
- Summary
- Bluetooth: When HCI work queue is drained, only queue chained work
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: When HCI work queue is drained, only queue chained work
The HCI command, event, and data packet processing workqueue is drained to avoid deadlock in commit 76727c02c1e1 ("Bluetooth: Call drain_workqueue() before resetting state").
There is another delayed work, which will queue command to this drained workqueue. Which results in the following error report:
Bluetooth: hci2: command 0x040f tx timeout WARNING: CPU: 1 PID: 18374 at kernel/workqueue.c:1438 queuework+0xdad/0x1140 Workqueue: events hcicmdtimeout RIP: 0010:queuework+0xdad/0x1140 RSP: 0000:ffffc90002cffc60 EFLAGS: 00010093 RAX: 0000000000000000 RBX: ffff8880b9d3ec00 RCX: 0000000000000000 RDX: ffff888024ba0000 RSI: ffffffff814e048d RDI: ffff8880b9d3ec08 RBP: 0000000000000008 R08: 0000000000000000 R09: 00000000b9d39700 R10: ffffffff814f73c6 R11: 0000000000000000 R12: ffff88807cce4c60 R13: 0000000000000000 R14: ffff8880796d8800 R15: ffff8880796d8800 FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c0174b4000 CR3: 000000007cae9000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? queueworkon+0xcb/0x110 ? lockdephardirqsoff+0x90/0xd0 queueworkon+0xee/0x110 processonework+0x996/0x1610 ? pwqdecnrinflight+0x2a0/0x2a0 ? rwlockbug.part.0+0x90/0x90 ? _rawspinlockirq+0x41/0x50 workerthread+0x665/0x1080 ? processonework+0x1610/0x1610 kthread+0x2e9/0x3a0 ? kthreadcompleteandexit+0x40/0x40 retfromfork+0x1f/0x30 </TASK>
To fix this, we can add a new HCIDRAINWQ flag, and don't queue the timeout workqueue while command workqueue is draining.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced76727c02c1e14a2b561b806fa1d08acc1619ad27Fixed4bf367fa1fefabdf14938d0ac9ed60020389112e
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced76727c02c1e14a2b561b806fa1d08acc1619ad27Fixed3b382555706558f5c0587862b6dc03e96a252bba
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced76727c02c1e14a2b561b806fa1d08acc1619ad27Fixed877afadad2dce8aae1f2aad8ce47e072d4f6165e
Affected versions
v3.*
v3.18
v3.18-rc1
v3.18-rc2
v3.18-rc3
v3.18-rc4
v3.18-rc5
v3.18-rc6
v3.18-rc7
v3.19
v3.19-rc1
v3.19-rc2
v3.19-rc3
v3.19-rc4
v3.19-rc5
v3.19-rc6
v3.19-rc7
v4.*
v4.0
v4.0-rc1
v4.0-rc2
v4.0-rc3
v4.0-rc4
v4.0-rc5
v4.0-rc6
v4.0-rc7
v4.1
v4.1-rc1
v4.1-rc2
v4.1-rc3
v4.1-rc4
v4.1-rc5
v4.1-rc6
v4.1-rc7
v4.1-rc8
v4.10
v4.10-rc1
v4.10-rc2
v4.10-rc3
v4.10-rc4
v4.10-rc5
v4.10-rc6
v4.10-rc7
v4.10-rc8
v4.11
v4.11-rc1
v4.11-rc2
v4.11-rc3
v4.11-rc4
v4.11-rc5
v4.11-rc6
v4.11-rc7
v4.11-rc8
v4.12
v4.12-rc1
v4.12-rc2
v4.12-rc3
v4.12-rc4
v4.12-rc5
v4.12-rc6
v4.12-rc7
v4.13
v4.13-rc1
v4.13-rc2
v4.13-rc3
v4.13-rc4
v4.13-rc5
v4.13-rc6
v4.13-rc7
v4.14
v4.14-rc1
v4.14-rc2
v4.14-rc3
v4.14-rc4
v4.14-rc5
v4.14-rc6
v4.14-rc7
v4.14-rc8
v4.15
v4.15-rc1
v4.15-rc2
v4.15-rc3
v4.15-rc4
v4.15-rc5
v4.15-rc6
v4.15-rc7
v4.15-rc8
v4.15-rc9
v4.16
v4.16-rc1
v4.16-rc2
v4.16-rc3
v4.16-rc4
v4.16-rc5
v4.16-rc6
v4.16-rc7
v4.17
v4.17-rc1
v4.17-rc2
v4.17-rc3
v4.17-rc4
v4.17-rc5
v4.17-rc6
v4.17-rc7
v4.18
v4.18-rc1
v4.18-rc2
v4.18-rc3
v4.18-rc4
v4.18-rc5
v4.18-rc6
v4.18-rc7
v4.18-rc8
v4.19
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.2
v4.2-rc1
v4.2-rc2
v4.2-rc3
v4.2-rc4
v4.2-rc5
v4.2-rc6
v4.2-rc7
v4.2-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7
v4.3
v4.3-rc1
v4.3-rc2
v4.3-rc3
v4.3-rc4
v4.3-rc5
v4.3-rc6
v4.3-rc7
v4.4
v4.4-rc1
v4.4-rc2
v4.4-rc3
v4.4-rc4
v4.4-rc5
v4.4-rc6
v4.4-rc7
v4.4-rc8
v4.5
v4.5-rc1
v4.5-rc2
v4.5-rc3
v4.5-rc4
v4.5-rc5
v4.5-rc6
v4.5-rc7
v4.6
v4.6-rc1
v4.6-rc2
v4.6-rc3
v4.6-rc4
v4.6-rc5
v4.6-rc6
v4.6-rc7
v4.7
v4.7-rc1
v4.7-rc2
v4.7-rc3
v4.7-rc4
v4.7-rc5
v4.7-rc6
v4.7-rc7
v4.8
v4.8-rc1
v4.8-rc2
v4.8-rc3
v4.8-rc4
v4.8-rc5
v4.8-rc6
v4.8-rc7
v4.8-rc8
v4.9
v4.9-rc1
v4.9-rc2
v4.9-rc3
v4.9-rc4
v4.9-rc5
v4.9-rc6
v4.9-rc7
v4.9-rc8
v5.*
v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.18.1
v5.18.10
v5.18.11
v5.18.12
v5.18.13
v5.18.14
v5.18.15
v5.18.16
v5.18.17
v5.18.2
v5.18.3
v5.18.4
v5.18.5
v5.18.6
v5.18.7
v5.18.8
v5.18.9
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.19.1
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4bf367fa1fefabdf14938d0ac9ed60020389112e",
"id": "CVE-2022-50166-00dc657d",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "hci_cmd_work",
"file": "net/bluetooth/hci_core.c"
},
"digest": {
"length": 894.0,
"function_hash": "257518447988808350207318989562596230190"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@877afadad2dce8aae1f2aad8ce47e072d4f6165e",
"id": "CVE-2022-50166-115f25d3",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "hci_dev_do_reset",
"file": "net/bluetooth/hci_core.c"
},
"digest": {
"length": 520.0,
"function_hash": "144135601343006505313117936446615682189"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3b382555706558f5c0587862b6dc03e96a252bba",
"id": "CVE-2022-50166-33c240c4",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "hci_dev_do_reset",
"file": "net/bluetooth/hci_core.c"
},
"digest": {
"length": 520.0,
"function_hash": "144135601343006505313117936446615682189"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3b382555706558f5c0587862b6dc03e96a252bba",
"id": "CVE-2022-50166-3a2c926b",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/hci_event.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"298813293868886859514745344798933259469",
"300600680245530625079093757460050561605",
"92391027321936649602219980064911021975",
"107957302026127153209846263830591235615",
"143843955281711743296374900648421634852"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3b382555706558f5c0587862b6dc03e96a252bba",
"id": "CVE-2022-50166-49082ede",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "include/net/bluetooth/hci.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"132593684018331660663331178722641145623",
"120667111050393162459976311001198937268",
"19855078100547446904234493143941541294",
"126964939899418083666355583488575929931"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@877afadad2dce8aae1f2aad8ce47e072d4f6165e",
"id": "CVE-2022-50166-4951c342",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/hci_core.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"215689567160586635353936353189166886929",
"256496434343241608840112733376569186170",
"284410392486052775243610958670779163690",
"265961021621483561569220838342860054336",
"83303557863509254461739091128180501316",
"302705192227592996511805174849857853200",
"1830592253822661292996947604998412433",
"206086635450207000340557044159757938533",
"333679623362593137547654825798625450192",
"97611935165721941957721845355791986827"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4bf367fa1fefabdf14938d0ac9ed60020389112e",
"id": "CVE-2022-50166-4e125f14",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "handle_cmd_cnt_and_timer",
"file": "net/bluetooth/hci_event.c"
},
"digest": {
"length": 312.0,
"function_hash": "286877488051970081752606841944560535560"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3b382555706558f5c0587862b6dc03e96a252bba",
"id": "CVE-2022-50166-51ddc14e",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "hci_cmd_work",
"file": "net/bluetooth/hci_core.c"
},
"digest": {
"length": 894.0,
"function_hash": "257518447988808350207318989562596230190"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4bf367fa1fefabdf14938d0ac9ed60020389112e",
"id": "CVE-2022-50166-552a7770",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "hci_dev_do_reset",
"file": "net/bluetooth/hci_core.c"
},
"digest": {
"length": 520.0,
"function_hash": "144135601343006505313117936446615682189"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3b382555706558f5c0587862b6dc03e96a252bba",
"id": "CVE-2022-50166-75e79e66",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/hci_core.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"215689567160586635353936353189166886929",
"256496434343241608840112733376569186170",
"284410392486052775243610958670779163690",
"265961021621483561569220838342860054336",
"83303557863509254461739091128180501316",
"302705192227592996511805174849857853200",
"1830592253822661292996947604998412433",
"206086635450207000340557044159757938533",
"333679623362593137547654825798625450192",
"97611935165721941957721845355791986827"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@877afadad2dce8aae1f2aad8ce47e072d4f6165e",
"id": "CVE-2022-50166-8218a5a2",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/hci_event.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"298813293868886859514745344798933259469",
"300600680245530625079093757460050561605",
"92391027321936649602219980064911021975",
"107957302026127153209846263830591235615",
"143843955281711743296374900648421634852"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@877afadad2dce8aae1f2aad8ce47e072d4f6165e",
"id": "CVE-2022-50166-9328b2dc",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "hci_cmd_work",
"file": "net/bluetooth/hci_core.c"
},
"digest": {
"length": 894.0,
"function_hash": "257518447988808350207318989562596230190"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3b382555706558f5c0587862b6dc03e96a252bba",
"id": "CVE-2022-50166-9d01b066",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "handle_cmd_cnt_and_timer",
"file": "net/bluetooth/hci_event.c"
},
"digest": {
"length": 312.0,
"function_hash": "286877488051970081752606841944560535560"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4bf367fa1fefabdf14938d0ac9ed60020389112e",
"id": "CVE-2022-50166-caa70f5a",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/hci_event.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"298813293868886859514745344798933259469",
"300600680245530625079093757460050561605",
"92391027321936649602219980064911021975",
"107957302026127153209846263830591235615",
"143843955281711743296374900648421634852"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4bf367fa1fefabdf14938d0ac9ed60020389112e",
"id": "CVE-2022-50166-e3aa1921",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "include/net/bluetooth/hci.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"132593684018331660663331178722641145623",
"120667111050393162459976311001198937268",
"19855078100547446904234493143941541294",
"126964939899418083666355583488575929931"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@877afadad2dce8aae1f2aad8ce47e072d4f6165e",
"id": "CVE-2022-50166-f41b9a3d",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "include/net/bluetooth/hci.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"132593684018331660663331178722641145623",
"120667111050393162459976311001198937268",
"19855078100547446904234493143941541294",
"126964939899418083666355583488575929931"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@877afadad2dce8aae1f2aad8ce47e072d4f6165e",
"id": "CVE-2022-50166-fa97a6fa",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "handle_cmd_cnt_and_timer",
"file": "net/bluetooth/hci_event.c"
},
"digest": {
"length": 312.0,
"function_hash": "286877488051970081752606841944560535560"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4bf367fa1fefabdf14938d0ac9ed60020389112e",
"id": "CVE-2022-50166-fdb1a4e8",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/bluetooth/hci_core.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"215689567160586635353936353189166886929",
"256496434343241608840112733376569186170",
"284410392486052775243610958670779163690",
"265961021621483561569220838342860054336",
"83303557863509254461739091128180501316",
"302705192227592996511805174849857853200",
"1830592253822661292996947604998412433",
"206086635450207000340557044159757938533",
"333679623362593137547654825798625450192",
"97611935165721941957721845355791986827"
]
},
"signature_type": "Line"
}
]