Linux Kernel Bluetooth Subsystem Data Race Vulnerability

A data race vulnerability has been identified in the Bluetooth subsystem of the Linux kernel. The issue arises in the handling of the 'req_status' variable within the 'hci_dev' structure, which is used to synchronize command requests. The function '__hci_cmd_sync_sk()' correctly sets 'req_status' under a lock, but several other functions access 'req_status' without any locking mechanism. This includes 'hci_send_cmd_sync()', 'hci_cmd_sync_complete()', 'hci_cmd_sync_cancel()', 'hci_cmd_sync_cancel_sync()', and 'hci_abort_conn()'. The lack of proper synchronization can lead to concurrent access issues, especially since these functions can be executed on different CPUs via separate workqueues. The vulnerability has been addressed by adding appropriate read and write annotations to 'req_status' to prevent potential compiler optimizations that could disrupt the intended synchronization.

Impact

The vulnerability could lead to a data race condition, where concurrent accesses to the 'req_status' variable could cause incorrect behavior in command synchronization, potentially disrupting Bluetooth operations or causing unexpected responses to command requests.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.