CVE-2022-49936
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49936
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49936.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49936
- Related
- Published
- 2025-06-18T11:15:20Z
- Modified
- 2025-06-18T15:58:32.851764Z
- Downstream
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
USB: core: Prevent nested device-reset calls
Automatic kernel fuzzing revealed a recursive locking violation in usb-storage:
============================================ WARNING: possible recursive locking detected
5.18.0 #3 Not tainted
kworker/1:3/1205 is trying to acquire lock: ffff888018638db8 (&usinterfacekey[i]){+.+.}-{3:3}, at: usbstorpre_reset+0x35/0x40 drivers/usb/storage/usb.c:230
but task is already holding lock: ffff888018638db8 (&usinterfacekey[i]){+.+.}-{3:3}, at: usbstorpre_reset+0x35/0x40 drivers/usb/storage/usb.c:230
...
stack backtrace: CPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: usbhubwq hubevent Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xcd/0x134 lib/dumpstack.c:106 printdeadlockbug kernel/locking/lockdep.c:2988 [inline] checkdeadlock kernel/locking/lockdep.c:3031 [inline] validatechain kernel/locking/lockdep.c:3816 [inline] _lockacquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053 lockacquire kernel/locking/lockdep.c:5665 [inline] lockacquire+0x1ab/0x520 kernel/locking/lockdep.c:5630 _mutexlockcommon kernel/locking/mutex.c:603 [inline] _mutexlock+0x14f/0x1610 kernel/locking/mutex.c:747 usbstorprereset+0x35/0x40 drivers/usb/storage/usb.c:230 usbresetdevice+0x37d/0x9a0 drivers/usb/core/hub.c:6109 r871xudevremove+0x21a/0x270 drivers/staging/rtl8712/usbintf.c:622 usbunbindinterface+0x1bd/0x890 drivers/usb/core/driver.c:458 deviceremove drivers/base/dd.c:545 [inline] deviceremove+0x11f/0x170 drivers/base/dd.c:537 _devicereleasedriver drivers/base/dd.c:1222 [inline] devicereleasedriverinternal+0x1a7/0x2f0 drivers/base/dd.c:1248 usbdriverreleaseinterface+0x102/0x180 drivers/usb/core/driver.c:627 usbforcedunbindintf+0x4d/0xa0 drivers/usb/core/driver.c:1118 usbresetdevice+0x39b/0x9a0 drivers/usb/core/hub.c:6114
This turned out not to be an error in usb-storage but rather a nested device reset attempt. That is, as the rtl8712 driver was being unbound from a composite device in preparation for an unrelated USB reset (that driver does not have prereset or postreset callbacks), its ->remove routine called usbresetdevice() -- thus nesting one reset call within another.
Performing a reset as part of disconnect processing is a questionable practice at best. However, the bug report points out that the USB core does not have any protection against nested resets. Adding a resetinprogress flag and testing it will prevent such errors in the future.
- References
-
- https://git.kernel.org/stable/c/1b29498669914c7f9afb619722421418a753d372
- https://git.kernel.org/stable/c/9c6d778800b921bde3bff3cff5003d1650f942d1
- https://git.kernel.org/stable/c/abe3cfb7a7c8e907b312c7dbd7bf4d142b745aa8
- https://git.kernel.org/stable/c/c548b99e1c37db6f7df86ecfe9a1f895d6c5966e
- https://git.kernel.org/stable/c/cc9a12e12808af178c600cc485338bac2e37d2a8
- https://git.kernel.org/stable/c/d5eb850b3e8836197a38475840725260b9783e94
- https://git.kernel.org/stable/c/d90419b8b8322b6924f6da9da952647f2dadc21b
- https://git.kernel.org/stable/c/df1875084898b15cbc42f712e93d7f113ae6271b
- https://security-tracker.debian.org/tracker/CVE-2022-49936
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.10.148-1
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source