{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-48760","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-06-20T11:09:39.059Z","datePublished":"2024-06-20T11:13:38.532Z","dateUpdated":"2025-12-23T13:20:18.737Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-12-23T13:20:18.737Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix hang in usb_kill_urb by adding memory barriers\n\nThe syzbot fuzzer has identified a bug in which processes hang waiting\nfor usb_kill_urb() to return.  It turns out the issue is not unlinking\nthe URB; that works just fine.  Rather, the problem arises when the\nwakeup notification that the URB has completed is not received.\n\nThe reason is memory-access ordering on SMP systems.  In outline form,\nusb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on\ndifferent CPUs perform the following actions:\n\nCPU 0\t\t\t\t\tCPU 1\n----------------------------\t\t---------------------------------\nusb_kill_urb():\t\t\t\t__usb_hcd_giveback_urb():\n  ...\t\t\t\t\t  ...\n  atomic_inc(&urb->reject);\t\t  atomic_dec(&urb->use_count);\n  ...\t\t\t\t\t  ...\n  wait_event(usb_kill_urb_queue,\n\tatomic_read(&urb->use_count) == 0);\n\t\t\t\t\t  if (atomic_read(&urb->reject))\n\t\t\t\t\t\twake_up(&usb_kill_urb_queue);\n\nConfining your attention to urb->reject and urb->use_count, you can\nsee that the overall pattern of accesses on CPU 0 is:\n\n\twrite urb->reject, then read urb->use_count;\n\nwhereas the overall pattern of accesses on CPU 1 is:\n\n\twrite urb->use_count, then read urb->reject.\n\nThis pattern is referred to in memory-model circles as SB (for \"Store\nBuffering\"), and it is well known that without suitable enforcement of\nthe desired order of accesses -- in the form of memory barriers -- it\nis entirely possible for one or both CPUs to execute their reads ahead\nof their writes.  The end result will be that sometimes CPU 0 sees the\nold un-decremented value of urb->use_count while CPU 1 sees the old\nun-incremented value of urb->reject.  Consequently CPU 0 ends up on\nthe wait queue and never gets woken up, leading to the observed hang\nin usb_kill_urb().\n\nThe same pattern of accesses occurs in usb_poison_urb() and the\nfailure pathway of usb_hcd_submit_urb().\n\nThe problem is fixed by adding suitable memory barriers.  To provide\nproper memory-access ordering in the SB pattern, a full barrier is\nrequired on both CPUs.  The atomic_inc() and atomic_dec() accesses\nthemselves don't provide any memory ordering, but since they are\npresent, we can use the optimized smp_mb__after_atomic() memory\nbarrier in the various routines to obtain the desired effect.\n\nThis patch adds the necessary memory barriers."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/core/hcd.c","drivers/usb/core/urb.c"],"versions":[{"version":"49367d8f1d9f26482cf7089489e90f0afd0a942c","lessThan":"5f138ef224dffd15d5e5c5b095859719e0038427","status":"affected","versionType":"git"},{"version":"49367d8f1d9f26482cf7089489e90f0afd0a942c","lessThan":"b50f5ca60475710bbc9a3af32fbfc17b1e69c2f0","status":"affected","versionType":"git"},{"version":"49367d8f1d9f26482cf7089489e90f0afd0a942c","lessThan":"546ba238535d925254e0b3f12012a5c55801e2f3","status":"affected","versionType":"git"},{"version":"49367d8f1d9f26482cf7089489e90f0afd0a942c","lessThan":"5904dfd3ddaff3bf4a41c3baf0a8e8f31ed4599b","status":"affected","versionType":"git"},{"version":"49367d8f1d9f26482cf7089489e90f0afd0a942c","lessThan":"9c61fce322ac2ef7fecf025285353570d60e41d6","status":"affected","versionType":"git"},{"version":"49367d8f1d9f26482cf7089489e90f0afd0a942c","lessThan":"e3b131e30e612ff0e32de6c1cb4f69f89db29193","status":"affected","versionType":"git"},{"version":"49367d8f1d9f26482cf7089489e90f0afd0a942c","lessThan":"9340226388c66a7e090ebb00e91ed64a753b6c26","status":"affected","versionType":"git"},{"version":"49367d8f1d9f26482cf7089489e90f0afd0a942c","lessThan":"c9a18f7c5b071dce5e6939568829d40994866ab0","status":"affected","versionType":"git"},{"version":"49367d8f1d9f26482cf7089489e90f0afd0a942c","lessThan":"26fbe9772b8c459687930511444ce443011f86bf","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/core/hcd.c","drivers/usb/core/urb.c"],"versions":[{"version":"2.6.29","status":"affected"},{"version":"0","lessThan":"2.6.29","status":"unaffected","versionType":"semver"},{"version":"4.4.302","lessThanOrEqual":"4.4.*","status":"unaffected","versionType":"semver"},{"version":"4.9.300","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.265","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.228","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.176","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.96","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.19","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16.5","lessThanOrEqual":"5.16.*","status":"unaffected","versionType":"semver"},{"version":"5.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"4.4.302"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"4.9.300"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"4.14.265"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"4.19.228"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.4.176"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.10.96"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.15.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.16.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5f138ef224dffd15d5e5c5b095859719e0038427"},{"url":"https://git.kernel.org/stable/c/b50f5ca60475710bbc9a3af32fbfc17b1e69c2f0"},{"url":"https://git.kernel.org/stable/c/546ba238535d925254e0b3f12012a5c55801e2f3"},{"url":"https://git.kernel.org/stable/c/5904dfd3ddaff3bf4a41c3baf0a8e8f31ed4599b"},{"url":"https://git.kernel.org/stable/c/9c61fce322ac2ef7fecf025285353570d60e41d6"},{"url":"https://git.kernel.org/stable/c/e3b131e30e612ff0e32de6c1cb4f69f89db29193"},{"url":"https://git.kernel.org/stable/c/9340226388c66a7e090ebb00e91ed64a753b6c26"},{"url":"https://git.kernel.org/stable/c/c9a18f7c5b071dce5e6939568829d40994866ab0"},{"url":"https://git.kernel.org/stable/c/26fbe9772b8c459687930511444ce443011f86bf"}],"title":"USB: core: Fix hang in usb_kill_urb by adding memory barriers","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-06-20T14:49:44.326446Z","id":"CVE-2022-48760","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-20T14:50:00.838Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T15:25:01.565Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/5f138ef224dffd15d5e5c5b095859719e0038427","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/b50f5ca60475710bbc9a3af32fbfc17b1e69c2f0","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/546ba238535d925254e0b3f12012a5c55801e2f3","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/5904dfd3ddaff3bf4a41c3baf0a8e8f31ed4599b","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/9c61fce322ac2ef7fecf025285353570d60e41d6","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/e3b131e30e612ff0e32de6c1cb4f69f89db29193","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/9340226388c66a7e090ebb00e91ed64a753b6c26","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/c9a18f7c5b071dce5e6939568829d40994866ab0","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/26fbe9772b8c459687930511444ce443011f86bf","tags":["x_transferred"]}]}]}}