{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.1",
    "cveMetadata": {
        "cveId": "CVE-2021-47038",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2024-02-27T18:42:55.965Z",
        "datePublished": "2024-02-28T08:13:45.310Z",
        "dateUpdated": "2024-09-11T17:33:20.423Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2024-05-29T05:01:00.637Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: avoid deadlock between hci_dev->lock and socket lock\n\nCommit eab2404ba798 (\"Bluetooth: Add BT_PHY socket option\") added a\ndependency between socket lock and hci_dev->lock that could lead to\ndeadlock.\n\nIt turns out that hci_conn_get_phy() is not in any way relying on hdev\nbeing immutable during the runtime of this function, neither does it even\nlook at any of the members of hdev, and as such there is no need to hold\nthat lock.\n\nThis fixes the lockdep splat below:\n\n ======================================================\n WARNING: possible circular locking dependency detected\n 5.12.0-rc1-00026-g73d464503354 #10 Not tainted\n ------------------------------------------------------\n bluetoothd/1118 is trying to acquire lock:\n ffff8f078383c078 (&hdev->lock){+.+.}-{3:3}, at: hci_conn_get_phy+0x1c/0x150 [bluetooth]\n\n but task is already holding lock:\n ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #3 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}:\n        lock_sock_nested+0x72/0xa0\n        l2cap_sock_ready_cb+0x18/0x70 [bluetooth]\n        l2cap_config_rsp+0x27a/0x520 [bluetooth]\n        l2cap_sig_channel+0x658/0x1330 [bluetooth]\n        l2cap_recv_frame+0x1ba/0x310 [bluetooth]\n        hci_rx_work+0x1cc/0x640 [bluetooth]\n        process_one_work+0x244/0x5f0\n        worker_thread+0x3c/0x380\n        kthread+0x13e/0x160\n        ret_from_fork+0x22/0x30\n\n -> #2 (&chan->lock#2/1){+.+.}-{3:3}:\n        __mutex_lock+0xa3/0xa10\n        l2cap_chan_connect+0x33a/0x940 [bluetooth]\n        l2cap_sock_connect+0x141/0x2a0 [bluetooth]\n        __sys_connect+0x9b/0xc0\n        __x64_sys_connect+0x16/0x20\n        do_syscall_64+0x33/0x80\n        entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n -> #1 (&conn->chan_lock){+.+.}-{3:3}:\n        __mutex_lock+0xa3/0xa10\n        l2cap_chan_connect+0x322/0x940 [bluetooth]\n        l2cap_sock_connect+0x141/0x2a0 [bluetooth]\n        __sys_connect+0x9b/0xc0\n        __x64_sys_connect+0x16/0x20\n        do_syscall_64+0x33/0x80\n        entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n -> #0 (&hdev->lock){+.+.}-{3:3}:\n        __lock_acquire+0x147a/0x1a50\n        lock_acquire+0x277/0x3d0\n        __mutex_lock+0xa3/0xa10\n        hci_conn_get_phy+0x1c/0x150 [bluetooth]\n        l2cap_sock_getsockopt+0x5a9/0x610 [bluetooth]\n        __sys_getsockopt+0xcc/0x200\n        __x64_sys_getsockopt+0x20/0x30\n        do_syscall_64+0x33/0x80\n        entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n other info that might help us debug this:\n\n Chain exists of:\n   &hdev->lock --> &chan->lock#2/1 --> sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP\n\n  Possible unsafe locking scenario:\n\n        CPU0                    CPU1\n        ----                    ----\n   lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);\n                                lock(&chan->lock#2/1);\n                                lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);\n   lock(&hdev->lock);\n\n  *** DEADLOCK ***\n\n 1 lock held by bluetoothd/1118:\n  #0: ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610 [bluetooth]\n\n stack backtrace:\n CPU: 3 PID: 1118 Comm: bluetoothd Not tainted 5.12.0-rc1-00026-g73d464503354 #10\n Hardware name: LENOVO 20K5S22R00/20K5S22R00, BIOS R0IET38W (1.16 ) 05/31/2017\n Call Trace:\n  dump_stack+0x7f/0xa1\n  check_noncircular+0x105/0x120\n  ? __lock_acquire+0x147a/0x1a50\n  __lock_acquire+0x147a/0x1a50\n  lock_acquire+0x277/0x3d0\n  ? hci_conn_get_phy+0x1c/0x150 [bluetooth]\n  ? __lock_acquire+0x2e1/0x1a50\n  ? lock_is_held_type+0xb4/0x120\n  ? hci_conn_get_phy+0x1c/0x150 [bluetooth]\n  __mutex_lock+0xa3/0xa10\n  ? hci_conn_get_phy+0x1c/0x150 [bluetooth]\n  ? lock_acquire+0x277/0x3d0\n  ? mark_held_locks+0x49/0x70\n  ? mark_held_locks+0x49/0x70\n  ? hci_conn_get_phy+0x1c/0x150 [bluetooth]\n  hci_conn_get_phy+0x\n---truncated---"
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "net/bluetooth/hci_conn.c"
                    ],
                    "versions": [
                        {
                            "version": "eab2404ba798",
                            "lessThan": "7cc0ba67883c",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "eab2404ba798",
                            "lessThan": "fee71f480bc1",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "eab2404ba798",
                            "lessThan": "332e69eb3bd9",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "eab2404ba798",
                            "lessThan": "17486960d79b",
                            "status": "affected",
                            "versionType": "git"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "net/bluetooth/hci_conn.c"
                    ],
                    "versions": [
                        {
                            "version": "5.7",
                            "status": "affected"
                        },
                        {
                            "version": "0",
                            "lessThan": "5.7",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.10.37",
                            "lessThanOrEqual": "5.10.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.11.21",
                            "lessThanOrEqual": "5.11.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.12.4",
                            "lessThanOrEqual": "5.12.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.13",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/7cc0ba67883c6c8d3bddb283f56c167fc837a555"
                },
                {
                    "url": "https://git.kernel.org/stable/c/fee71f480bc1dec5f6ae3b0b185ff12a62bceabc"
                },
                {
                    "url": "https://git.kernel.org/stable/c/332e69eb3bd90370f2d9f2c2ca7974ff523dea17"
                },
                {
                    "url": "https://git.kernel.org/stable/c/17486960d79b900c45e0bb8fbcac0262848582ba"
                }
            ],
            "title": "Bluetooth: avoid deadlock between hci_dev->lock and socket lock",
            "x_generator": {
                "engine": "bippy-a5840b7849dd"
            }
        },
        "adp": [
            {
                "providerMetadata": {
                    "orgId": "af854a3a-2127-422b-91ae-364da2661108",
                    "shortName": "CVE",
                    "dateUpdated": "2024-08-04T05:24:39.488Z"
                },
                "title": "CVE Program Container",
                "references": [
                    {
                        "url": "https://git.kernel.org/stable/c/7cc0ba67883c6c8d3bddb283f56c167fc837a555",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/fee71f480bc1dec5f6ae3b0b185ff12a62bceabc",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/332e69eb3bd90370f2d9f2c2ca7974ff523dea17",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/17486960d79b900c45e0bb8fbcac0262848582ba",
                        "tags": [
                            "x_transferred"
                        ]
                    }
                ]
            },
            {
                "metrics": [
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "id": "CVE-2021-47038",
                                "role": "CISA Coordinator",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "partial"
                                    }
                                ],
                                "version": "2.0.3",
                                "timestamp": "2024-09-10T15:57:52.490548Z"
                            }
                        }
                    }
                ],
                "title": "CISA ADP Vulnrichment",
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2024-09-11T17:33:20.423Z"
                }
            }
        ]
    }
}