Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() l2cap_conn_del() calls cancel_delayed_work_sync() for both info_timer and id_addr_timer while holding conn->lock. However, the work functions l2cap_info_timeout() and l2cap_conn_update_id_addr() both acquire conn->lock, creating a potential AB-BA deadlock if the work is already executing when l2cap_conn_del() takes the lock. Move the work cancellations before acquiring conn->lock and use disable_delayed_work_sync() to additionally prevent the works from being rearmed after cancellation, consistent with the pattern used in hci_conn_del().
Product status
f87271d21dd4ee83857ca11b94e7b4952749bbae (git) before f7f35a4f7fd574f5889bb2e4b397e14cbb83f6da
ab4eedb790cae44313759b50fe47da285e2519d5 (git) before 3f26ecbd9cde621dd94be7ef252c7210b965a5c7
ab4eedb790cae44313759b50fe47da285e2519d5 (git) before d008460de352e534f6721de829b093368564ec66
ab4eedb790cae44313759b50fe47da285e2519d5 (git) before 00fdebbbc557a2fc21321ff2eaa22fd70c078608
efc30877bd4bc85fefe98d80af60fafc86e5775e (git)
18ab6b6078fa8191ca30a3065d57bf35d5635761 (git)
6.12.20 (semver) before 6.12.88
6.6.84 (semver) before 6.7
6.13.8 (semver) before 6.14
6.14
Any version before 6.14
6.12.88 (semver)
6.18.21 (semver)
6.19.11 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/f7f35a4f7fd574f5889bb2e4b397e14cbb83f6da
git.kernel.org/...c/3f26ecbd9cde621dd94be7ef252c7210b965a5c7
git.kernel.org/...c/d008460de352e534f6721de829b093368564ec66
git.kernel.org/...c/00fdebbbc557a2fc21321ff2eaa22fd70c078608