We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2022-49936

USB: core: Prevent nested device-reset calls



Description

In the Linux kernel, the following vulnerability has been resolved: USB: core: Prevent nested device-reset calls Automatic kernel fuzzing revealed a recursive locking violation in usb-storage: ============================================ WARNING: possible recursive locking detected 5.18.0 #3 Not tainted -------------------------------------------- kworker/1:3/1205 is trying to acquire lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 but task is already holding lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 ... stack backtrace: CPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_deadlock_bug kernel/locking/lockdep.c:2988 [inline] check_deadlock kernel/locking/lockdep.c:3031 [inline] validate_chain kernel/locking/lockdep.c:3816 [inline] __lock_acquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053 lock_acquire kernel/locking/lockdep.c:5665 [inline] lock_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5630 __mutex_lock_common kernel/locking/mutex.c:603 [inline] __mutex_lock+0x14f/0x1610 kernel/locking/mutex.c:747 usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 usb_reset_device+0x37d/0x9a0 drivers/usb/core/hub.c:6109 r871xu_dev_remove+0x21a/0x270 drivers/staging/rtl8712/usb_intf.c:622 usb_unbind_interface+0x1bd/0x890 drivers/usb/core/driver.c:458 device_remove drivers/base/dd.c:545 [inline] device_remove+0x11f/0x170 drivers/base/dd.c:537 __device_release_driver drivers/base/dd.c:1222 [inline] device_release_driver_internal+0x1a7/0x2f0 drivers/base/dd.c:1248 usb_driver_release_interface+0x102/0x180 drivers/usb/core/driver.c:627 usb_forced_unbind_intf+0x4d/0xa0 drivers/usb/core/driver.c:1118 usb_reset_device+0x39b/0x9a0 drivers/usb/core/hub.c:6114 This turned out not to be an error in usb-storage but rather a nested device reset attempt. That is, as the rtl8712 driver was being unbound from a composite device in preparation for an unrelated USB reset (that driver does not have pre_reset or post_reset callbacks), its ->remove routine called usb_reset_device() -- thus nesting one reset call within another. Performing a reset as part of disconnect processing is a questionable practice at best. However, the bug report points out that the USB core does not have any protection against nested resets. Adding a reset_in_progress flag and testing it will prevent such errors in the future.

Reserved 2025-05-01 | Published 2025-06-18 | Updated 2025-06-18 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before d90419b8b8322b6924f6da9da952647f2dadc21b
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 1b29498669914c7f9afb619722421418a753d372
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before cc9a12e12808af178c600cc485338bac2e37d2a8
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before df1875084898b15cbc42f712e93d7f113ae6271b
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before abe3cfb7a7c8e907b312c7dbd7bf4d142b745aa8
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before c548b99e1c37db6f7df86ecfe9a1f895d6c5966e
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before d5eb850b3e8836197a38475840725260b9783e94
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 9c6d778800b921bde3bff3cff5003d1650f942d1
affected

Default status
affected

4.9.328
unaffected

4.14.293
unaffected

4.19.258
unaffected

5.4.213
unaffected

5.10.142
unaffected

5.15.66
unaffected

5.19.8
unaffected

6.0
unaffected

References

git.kernel.org/...c/d90419b8b8322b6924f6da9da952647f2dadc21b

git.kernel.org/...c/1b29498669914c7f9afb619722421418a753d372

git.kernel.org/...c/cc9a12e12808af178c600cc485338bac2e37d2a8

git.kernel.org/...c/df1875084898b15cbc42f712e93d7f113ae6271b

git.kernel.org/...c/abe3cfb7a7c8e907b312c7dbd7bf4d142b745aa8

git.kernel.org/...c/c548b99e1c37db6f7df86ecfe9a1f895d6c5966e

git.kernel.org/...c/d5eb850b3e8836197a38475840725260b9783e94

git.kernel.org/...c/9c6d778800b921bde3bff3cff5003d1650f942d1

cve.org (CVE-2022-49936)

nvd.nist.gov (CVE-2022-49936)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2022-49936

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.