CVE-2022-49936 Information

Jun 19, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

USB: core: Prevent nested device-reset calls

Automatic kernel fuzzing revealed a recursive locking violation in usb-storage:

============================================ WARNING: possible recursive locking detected 5.18.0 3 Not tainted

kworker/1:3/1205 is trying to acquire lock: ffff888018638db8 (&us_interface_key[i])+.+.-3:3 at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230

but task is already holding lock: ffff888018638db8 (&us_interface_key[i])+.+.-3:3 at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230

stack backtrace: CPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 3 Hardware name: QEMU Standard PC (i440FX + PIIX 1996) BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_deadlock_bug kernel/locking/lockdep.c:2988 [inline] check_deadlock kernel/locking/lockdep.c:3031 [inline] validate_chain kernel/locking/lockdep.c:3816 [inline] __lock_acquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053 lock_acquire kernel/locking/lockdep.c:5665 [inline] lock_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5630 __mutex_lock_common kernel/locking/mutex.c:603 [inline] __mutex_lock+0x14f/0x1610 kernel/locking/mutex.c:747 usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 usb_reset_device+0x37d/0x9a0 drivers/usb/core/hub.c:6109 r871xu_dev_remove+0x21a/0x270 drivers/staging/rtl8712/usb_intf.c:622 usb_unbind_interface+0x1bd/0x890 drivers/usb/core/driver.c:458 device_remove drivers/base/dd.c:545 [inline] device_remove+0x11f/0x170 drivers/base/dd.c:537 __device_release_driver drivers/base/dd.c:1222 [inline] device_release_driver_internal+0x1a7/0x2f0 drivers/base/dd.c:1248 usb_driver_release_interface+0x102/0x180 drivers/usb/core/driver.c:627 usb_forced_unbind_intf+0x4d/0xa0 drivers/usb/core/driver.c:1118 usb_reset_device+0x39b/0x9a0 drivers/usb/core/hub.c:6114

This turned out not to be an error in usb-storage but rather a nested device reset attempt. That is as the rtl8712 driver was being unbound from a composite device in preparation for an unrelated USB reset (that driver does not have pre_reset or post_reset callbacks) its ->remove routine called usb_reset_device() – thus nesting one reset call within another.

Performing a reset as part of disconnect processing is a questionable practice at best. However the bug report points out that the USB core does not have any protection against nested resets. Adding a reset_in_progress flag and testing it will prevent such errors in the future.

Reference

https://git.kernel.org/stable/c/1b29498669914c7f9afb619722421418a753d372 https://git.kernel.org/stable/c/9c6d778800b921bde3bff3cff5003d1650f942d1 https://git.kernel.org/stable/c/abe3cfb7a7c8e907b312c7dbd7bf4d142b745aa8 https://git.kernel.org/stable/c/c548b99e1c37db6f7df86ecfe9a1f895d6c5966e https://git.kernel.org/stable/c/cc9a12e12808af178c600cc485338bac2e37d2a8 https://git.kernel.org/stable/c/d5eb850b3e8836197a38475840725260b9783e94 https://git.kernel.org/stable/c/d90419b8b8322b6924f6da9da952647f2dadc21b https://git.kernel.org/stable/c/df1875084898b15cbc42f712e93d7f113ae6271b

CNNVD-202506-2223 (Published: 2025-06-18)

Share on: