{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-49943","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-06-18T10:57:27.381Z","datePublished":"2025-06-18T10:59:58.516Z","dateUpdated":"2026-05-11T19:09:40.620Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:09:40.620Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: Fix obscure lockdep violation for udc_mutex\n\nA recent commit expanding the scope of the udc_lock mutex in the\ngadget core managed to cause an obscure and slightly bizarre lockdep\nviolation.  In abbreviated form:\n\n======================================================\nWARNING: possible circular locking dependency detected\n5.19.0-rc7+ #12510 Not tainted\n------------------------------------------------------\nudevadm/312 is trying to acquire lock:\nffff80000aae1058 (udc_lock){+.+.}-{3:3}, at: usb_udc_uevent+0x54/0xe0\n\nbut task is already holding lock:\nffff000002277548 (kn->active#4){++++}-{0:0}, at: kernfs_seq_start+0x34/0xe0\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #3 (kn->active#4){++++}-{0:0}:\n        lock_acquire+0x68/0x84\n        __kernfs_remove+0x268/0x380\n        kernfs_remove_by_name_ns+0x58/0xac\n        sysfs_remove_file_ns+0x18/0x24\n        device_del+0x15c/0x440\n\n-> #2 (device_links_lock){+.+.}-{3:3}:\n        lock_acquire+0x68/0x84\n        __mutex_lock+0x9c/0x430\n        mutex_lock_nested+0x38/0x64\n        device_link_remove+0x3c/0xa0\n        _regulator_put.part.0+0x168/0x190\n        regulator_put+0x3c/0x54\n        devm_regulator_release+0x14/0x20\n\n-> #1 (regulator_list_mutex){+.+.}-{3:3}:\n        lock_acquire+0x68/0x84\n        __mutex_lock+0x9c/0x430\n        mutex_lock_nested+0x38/0x64\n        regulator_lock_dependent+0x54/0x284\n        regulator_enable+0x34/0x80\n        phy_power_on+0x24/0x130\n        __dwc2_lowlevel_hw_enable+0x100/0x130\n        dwc2_lowlevel_hw_enable+0x18/0x40\n        dwc2_hsotg_udc_start+0x6c/0x2f0\n        gadget_bind_driver+0x124/0x1f4\n\n-> #0 (udc_lock){+.+.}-{3:3}:\n        __lock_acquire+0x1298/0x20cc\n        lock_acquire.part.0+0xe0/0x230\n        lock_acquire+0x68/0x84\n        __mutex_lock+0x9c/0x430\n        mutex_lock_nested+0x38/0x64\n        usb_udc_uevent+0x54/0xe0\n\nEvidently this was caused by the scope of udc_mutex being too large.\nThe mutex is only meant to protect udc->driver along with a few other\nthings.  As far as I can tell, there's no reason for the mutex to be\nheld while the gadget core calls a gadget driver's ->bind or ->unbind\nroutine, or while a UDC is being started or stopped.  (This accounts\nfor link #1 in the chain above, where the mutex is held while the\ndwc2_hsotg_udc is started as part of driver probing.)\n\nGadget drivers' ->disconnect callbacks are problematic.  Even though\nusb_gadget_disconnect() will now acquire the udc_mutex, there's a\nwindow in usb_gadget_bind_driver() between the times when the mutex is\nreleased and the ->bind callback is invoked.  If a disconnect occurred\nduring that window, we could call the driver's ->disconnect routine\nbefore its ->bind routine.  To prevent this from happening, it will be\nnecessary to prevent a UDC from connecting while it has no gadget\ndriver.  This should be done already but it doesn't seem to be;\ncurrently usb_gadget_connect() has no check for this.  Such a check\nwill have to be added later.\n\nSome degree of mutual exclusion is required in soft_connect_store(),\nwhich can dereference udc->driver at arbitrary times since it is a\nsysfs callback.  The solution here is to acquire the gadget's device\nlock rather than the udc_mutex.  Since the driver core guarantees that\nthe device lock is always held during driver binding and unbinding,\nthis will make the accesses in soft_connect_store() mutually exclusive\nwith any changes to udc->driver.\n\nLastly, it turns out there is one place which should hold the\nudc_mutex but currently does not: The function_show() routine needs\nprotection while it dereferences udc->driver.  The missing lock and\nunlock calls are added."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/gadget/udc/core.c"],"versions":[{"version":"f44b0b95d50fffeca036e1ba36770390e0b519dd","lessThan":"1a065e4673cbdd9f222a05f85e17d78ea50c8d9c","status":"affected","versionType":"git"},{"version":"2191c00855b03aa59c20e698be713d952d51fc18","lessThan":"1016fc0c096c92dd0e6e0541daac7a7868169903","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/gadget/udc/core.c"],"versions":[{"version":"5.19.7","lessThan":"5.19.8","status":"affected","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19.7","versionEndExcluding":"5.19.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1a065e4673cbdd9f222a05f85e17d78ea50c8d9c"},{"url":"https://git.kernel.org/stable/c/1016fc0c096c92dd0e6e0541daac7a7868169903"}],"title":"USB: gadget: Fix obscure lockdep violation for udc_mutex","x_generator":{"engine":"bippy-1.2.0"}}}}