{ "threat_severity" : "Moderate", "public_date" : "2025-06-18T00:00:00Z", "bugzilla" : { "description" : "kernel: USB: gadget: Fix obscure lockdep violation for udc_mutex", "id" : "2373547", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2373547" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nUSB: gadget: Fix obscure lockdep violation for udc_mutex\nA recent commit expanding the scope of the udc_lock mutex in the\ngadget core managed to cause an obscure and slightly bizarre lockdep\nviolation. In abbreviated form:\n======================================================\nWARNING: possible circular locking dependency detected\n5.19.0-rc7+ #12510 Not tainted\n------------------------------------------------------\nudevadm/312 is trying to acquire lock:\nffff80000aae1058 (udc_lock){+.+.}-{3:3}, at: usb_udc_uevent+0x54/0xe0\nbut task is already holding lock:\nffff000002277548 (kn->active#4){++++}-{0:0}, at: kernfs_seq_start+0x34/0xe0\nwhich lock already depends on the new lock.\nthe existing dependency chain (in reverse order) is:\n-> #3 (kn->active#4){++++}-{0:0}:\n       lock_acquire+0x68/0x84\n       __kernfs_remove+0x268/0x380\n       kernfs_remove_by_name_ns+0x58/0xac\n       sysfs_remove_file_ns+0x18/0x24\n       device_del+0x15c/0x440\n-> #2 (device_links_lock){+.+.}-{3:3}:\n       lock_acquire+0x68/0x84\n       __mutex_lock+0x9c/0x430\n       mutex_lock_nested+0x38/0x64\n       device_link_remove+0x3c/0xa0\n       _regulator_put.part.0+0x168/0x190\n       regulator_put+0x3c/0x54\n       devm_regulator_release+0x14/0x20\n-> #1 (regulator_list_mutex){+.+.}-{3:3}:\n       lock_acquire+0x68/0x84\n       __mutex_lock+0x9c/0x430\n       mutex_lock_nested+0x38/0x64\n       regulator_lock_dependent+0x54/0x284\n       regulator_enable+0x34/0x80\n       phy_power_on+0x24/0x130\n       __dwc2_lowlevel_hw_enable+0x100/0x130\n       dwc2_lowlevel_hw_enable+0x18/0x40\n       dwc2_hsotg_udc_start+0x6c/0x2f0\n       gadget_bind_driver+0x124/0x1f4\n-> #0 (udc_lock){+.+.}-{3:3}:\n       __lock_acquire+0x1298/0x20cc\n       lock_acquire.part.0+0xe0/0x230\n       lock_acquire+0x68/0x84\n       __mutex_lock+0x9c/0x430\n       mutex_lock_nested+0x38/0x64\n       usb_udc_uevent+0x54/0xe0\nEvidently this was caused by the scope of udc_mutex being too large.\nThe mutex is only meant to protect udc->driver along with a few other\nthings. As far as I can tell, there's no reason for the mutex to be\nheld while the gadget core calls a gadget driver's ->bind or ->unbind\nroutine, or while a UDC is being started or stopped. (This accounts\nfor link #1 in the chain above, where the mutex is held while the\ndwc2_hsotg_udc is started as part of driver probing.)\nGadget drivers' ->disconnect callbacks are problematic. Even though\nusb_gadget_disconnect() will now acquire the udc_mutex, there's a\nwindow in usb_gadget_bind_driver() between the times when the mutex is\nreleased and the ->bind callback is invoked. If a disconnect occurred\nduring that window, we could call the driver's ->disconnect routine\nbefore its ->bind routine. To prevent this from happening, it will be\nnecessary to prevent a UDC from connecting while it has no gadget\ndriver. This should be done already but it doesn't seem to be;\ncurrently usb_gadget_connect() has no check for this. Such a check\nwill have to be added later.\nSome degree of mutual exclusion is required in soft_connect_store(),\nwhich can dereference udc->driver at arbitrary times since it is a\nsysfs callback. The solution here is to acquire the gadget's device\nlock rather than the udc_mutex. Since the driver core guarantees that\nthe device lock is always held during driver binding and unbinding,\nthis will make the accesses in soft_connect_store() mutually exclusive\nwith any changes to udc->driver.\nLastly, it turns out there is one place which should hold the\nudc_mutex but currently does not: The function_show() routine needs\nprotection while it dereferences udc->driver. The missing lock and\nunlock calls are added." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49943\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49943\nhttps://lore.kernel.org/linux-cve-announce/2025061807-CVE-2022-49943-7809@gregkh/T" ], "name" : "CVE-2022-49943", "csaw" : false }