{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-29T12:47:38.280","vulnerabilities":[{"cve":{"id":"CVE-2022-49943","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-06-18T11:15:21.267","lastModified":"2025-11-14T19:41:15.223","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: Fix obscure lockdep violation for udc_mutex\n\nA recent commit expanding the scope of the udc_lock mutex in the\ngadget core managed to cause an obscure and slightly bizarre lockdep\nviolation.  In abbreviated form:\n\n======================================================\nWARNING: possible circular locking dependency detected\n5.19.0-rc7+ #12510 Not tainted\n------------------------------------------------------\nudevadm/312 is trying to acquire lock:\nffff80000aae1058 (udc_lock){+.+.}-{3:3}, at: usb_udc_uevent+0x54/0xe0\n\nbut task is already holding lock:\nffff000002277548 (kn->active#4){++++}-{0:0}, at: kernfs_seq_start+0x34/0xe0\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #3 (kn->active#4){++++}-{0:0}:\n        lock_acquire+0x68/0x84\n        __kernfs_remove+0x268/0x380\n        kernfs_remove_by_name_ns+0x58/0xac\n        sysfs_remove_file_ns+0x18/0x24\n        device_del+0x15c/0x440\n\n-> #2 (device_links_lock){+.+.}-{3:3}:\n        lock_acquire+0x68/0x84\n        __mutex_lock+0x9c/0x430\n        mutex_lock_nested+0x38/0x64\n        device_link_remove+0x3c/0xa0\n        _regulator_put.part.0+0x168/0x190\n        regulator_put+0x3c/0x54\n        devm_regulator_release+0x14/0x20\n\n-> #1 (regulator_list_mutex){+.+.}-{3:3}:\n        lock_acquire+0x68/0x84\n        __mutex_lock+0x9c/0x430\n        mutex_lock_nested+0x38/0x64\n        regulator_lock_dependent+0x54/0x284\n        regulator_enable+0x34/0x80\n        phy_power_on+0x24/0x130\n        __dwc2_lowlevel_hw_enable+0x100/0x130\n        dwc2_lowlevel_hw_enable+0x18/0x40\n        dwc2_hsotg_udc_start+0x6c/0x2f0\n        gadget_bind_driver+0x124/0x1f4\n\n-> #0 (udc_lock){+.+.}-{3:3}:\n        __lock_acquire+0x1298/0x20cc\n        lock_acquire.part.0+0xe0/0x230\n        lock_acquire+0x68/0x84\n        __mutex_lock+0x9c/0x430\n        mutex_lock_nested+0x38/0x64\n        usb_udc_uevent+0x54/0xe0\n\nEvidently this was caused by the scope of udc_mutex being too large.\nThe mutex is only meant to protect udc->driver along with a few other\nthings.  As far as I can tell, there's no reason for the mutex to be\nheld while the gadget core calls a gadget driver's ->bind or ->unbind\nroutine, or while a UDC is being started or stopped.  (This accounts\nfor link #1 in the chain above, where the mutex is held while the\ndwc2_hsotg_udc is started as part of driver probing.)\n\nGadget drivers' ->disconnect callbacks are problematic.  Even though\nusb_gadget_disconnect() will now acquire the udc_mutex, there's a\nwindow in usb_gadget_bind_driver() between the times when the mutex is\nreleased and the ->bind callback is invoked.  If a disconnect occurred\nduring that window, we could call the driver's ->disconnect routine\nbefore its ->bind routine.  To prevent this from happening, it will be\nnecessary to prevent a UDC from connecting while it has no gadget\ndriver.  This should be done already but it doesn't seem to be;\ncurrently usb_gadget_connect() has no check for this.  Such a check\nwill have to be added later.\n\nSome degree of mutual exclusion is required in soft_connect_store(),\nwhich can dereference udc->driver at arbitrary times since it is a\nsysfs callback.  The solution here is to acquire the gadget's device\nlock rather than the udc_mutex.  Since the driver core guarantees that\nthe device lock is always held during driver binding and unbinding,\nthis will make the accesses in soft_connect_store() mutually exclusive\nwith any changes to udc->driver.\n\nLastly, it turns out there is one place which should hold the\nudc_mutex but currently does not: The function_show() routine needs\nprotection while it dereferences udc->driver.  The missing lock and\nunlock calls are added."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: USB: gadget: Se corrige una oscura violación de lockdep para udc_mutex. Una confirmación reciente que expandió el alcance del mutex udc_lock en el núcleo del gadget logró causar una oscura y ligeramente extraña violación de lockdep. En forma abreviada: ======================================================== ADVERTENCIA: posible dependencia de bloqueo circular detectada 5.19.0-rc7+ #12510 No contaminado ------------------------------------------------------ udevadm/312 está intentando adquirir el bloqueo: ffff80000aae1058 (udc_lock){+.+.}-{3:3}, en: usb_udc_uevent+0x54/0xe0 pero la tarea ya tiene el bloqueo: ffff000002277548 (kn->active#4){++++}-{0:0}, en: kernfs_seq_start+0x34/0xe0 cuyo bloqueo ya depende del nuevo bloqueo. la cadena de dependencia existente (en orden inverso) es: -> #3 (kn->active#4){++++}-{0:0}: lock_acquire+0x68/0x84 __kernfs_remove+0x268/0x380 kernfs_remove_by_name_ns+0x58/0xac sysfs_remove_file_ns+0x18/0x24 device_del+0x15c/0x440 -> #2 (device_links_lock){+.+.}-{3:3}: lock_acquire+0x68/0x84 __mutex_lock+0x9c/0x430 mutex_lock_nested+0x38/0x64 device_link_remove+0x3c/0xa0 _regulator_put.part.0+0x168/0x190 regulator_put+0x3c/0x54 devm_regulator_release+0x14/0x20 -> #1 (mutex_lista_regulador){+.+.}-{3:3}: adquisición_bloqueo+0x68/0x84 __mutex_lock+0x9c/0x430 mutex_lock_nested+0x38/0x64 regulator_lock_dependent+0x54/0x284 regulator_enable+0x34/0x80 phy_power_on+0x24/0x130 __dwc2_lowlevel_hw_enable+0x100/0x130 dwc2_lowlevel_hw_enable+0x18/0x40 dwc2_hsotg_udc_start+0x6c/0x2f0 gadget_bind_driver+0x124/0x1f4 -> #0 (udc_lock){+.+.}-{3:3}: __lock_acquire+0x1298/0x20cc lock_acquire.part.0+0xe0/0x230 lock_acquire+0x68/0x84 __mutex_lock+0x9c/0x430 mutex_lock_nested+0x38/0x64 usb_udc_uevent+0x54/0xe0 Evidentemente, esto se debió a que el alcance de udc_mutex era demasiado grande. El mutex solo protege udc->driver, entre otras cosas. Hasta donde sé, no hay razón para que el mutex se mantenga mientras el núcleo del gadget llama a la rutina ->bind o ->unbind de un controlador de gadget, ni mientras se inicia o detiene un UDC. (Esto explica el enlace n.º 1 de la cadena anterior, donde el mutex se mantiene mientras se inicia dwc2_hsotg_udc como parte del sondeo del controlador). Las devoluciones de llamada ->disconnect de los controladores de gadget son problemáticas. Aunque usb_gadget_disconnect() ahora adquirirá el udc_mutex, existe un margen en usb_gadget_bind_driver() entre el momento en que se libera el mutex y se invoca la devolucion de llamada ->bind. Si se produjera una desconexión durante ese margen, podríamos llamar a la rutina ->disconnect del controlador antes que a su rutina ->bind. Para evitarlo, será necesario impedir que un UDC se conecte mientras no tenga un controlador de gadget. Esto ya debería estar hecho, pero no parece estarlo; actualmente, usb_gadget_connect() no lo comprueba. Esta comprobación deberá añadirse más adelante. Se requiere cierto grado de exclusión mutua en soft_connect_store(), que puede desreferenciar udc->driver en cualquier momento, ya que es una devolución de llamada de sysfs. La solución es adquirir el bloqueo del dispositivo del gadget en lugar del udc_mutex. Dado que el núcleo del controlador garantiza que el bloqueo del dispositivo se mantenga siempre durante la vinculación y desvinculación del controlador, esto hará que los accesos en soft_connect_store() sean mutuamente excluyentes con cualquier cambio en udc->driver. Por último, resulta que hay un lugar que debería contener el udc_mutex, pero actualmente no lo hace: la rutina function_show() necesita protección mientras desreferencia udc->driver. Se añaden las llamadas de bloqueo y desbloqueo que faltan."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-667"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.19.7:*:*:*:*:*:*:*","matchCriteriaId":"069A4BEA-1457-4746-A2BA-084F2DC03253"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*","matchCriteriaId":"E8BD11A3-8643-49B6-BADE-5029A0117325"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*","matchCriteriaId":"5F0AD220-F6A9-4012-8636-155F1B841FAD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.0:rc3:*:*:*:*:*:*","matchCriteriaId":"A46498B3-78E1-4623-AAE1-94D29A42BE4E"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1016fc0c096c92dd0e6e0541daac7a7868169903","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1a065e4673cbdd9f222a05f85e17d78ea50c8d9c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}