{"id":"CVE-2022-49943","summary":"USB: gadget: Fix obscure lockdep violation for udc_mutex","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: Fix obscure lockdep violation for udc_mutex\n\nA recent commit expanding the scope of the udc_lock mutex in the\ngadget core managed to cause an obscure and slightly bizarre lockdep\nviolation.  In abbreviated form:\n\n======================================================\nWARNING: possible circular locking dependency detected\n5.19.0-rc7+ #12510 Not tainted\n------------------------------------------------------\nudevadm/312 is trying to acquire lock:\nffff80000aae1058 (udc_lock){+.+.}-{3:3}, at: usb_udc_uevent+0x54/0xe0\n\nbut task is already holding lock:\nffff000002277548 (kn-\u003eactive#4){++++}-{0:0}, at: kernfs_seq_start+0x34/0xe0\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-\u003e #3 (kn-\u003eactive#4){++++}-{0:0}:\n        lock_acquire+0x68/0x84\n        __kernfs_remove+0x268/0x380\n        kernfs_remove_by_name_ns+0x58/0xac\n        sysfs_remove_file_ns+0x18/0x24\n        device_del+0x15c/0x440\n\n-\u003e #2 (device_links_lock){+.+.}-{3:3}:\n        lock_acquire+0x68/0x84\n        __mutex_lock+0x9c/0x430\n        mutex_lock_nested+0x38/0x64\n        device_link_remove+0x3c/0xa0\n        _regulator_put.part.0+0x168/0x190\n        regulator_put+0x3c/0x54\n        devm_regulator_release+0x14/0x20\n\n-\u003e #1 (regulator_list_mutex){+.+.}-{3:3}:\n        lock_acquire+0x68/0x84\n        __mutex_lock+0x9c/0x430\n        mutex_lock_nested+0x38/0x64\n        regulator_lock_dependent+0x54/0x284\n        regulator_enable+0x34/0x80\n        phy_power_on+0x24/0x130\n        __dwc2_lowlevel_hw_enable+0x100/0x130\n        dwc2_lowlevel_hw_enable+0x18/0x40\n        dwc2_hsotg_udc_start+0x6c/0x2f0\n        gadget_bind_driver+0x124/0x1f4\n\n-\u003e #0 (udc_lock){+.+.}-{3:3}:\n        __lock_acquire+0x1298/0x20cc\n        lock_acquire.part.0+0xe0/0x230\n        lock_acquire+0x68/0x84\n        __mutex_lock+0x9c/0x430\n        mutex_lock_nested+0x38/0x64\n        usb_udc_uevent+0x54/0xe0\n\nEvidently this was caused by the scope of udc_mutex being too large.\nThe mutex is only meant to protect udc-\u003edriver along with a few other\nthings.  As far as I can tell, there's no reason for the mutex to be\nheld while the gadget core calls a gadget driver's -\u003ebind or -\u003eunbind\nroutine, or while a UDC is being started or stopped.  (This accounts\nfor link #1 in the chain above, where the mutex is held while the\ndwc2_hsotg_udc is started as part of driver probing.)\n\nGadget drivers' -\u003edisconnect callbacks are problematic.  Even though\nusb_gadget_disconnect() will now acquire the udc_mutex, there's a\nwindow in usb_gadget_bind_driver() between the times when the mutex is\nreleased and the -\u003ebind callback is invoked.  If a disconnect occurred\nduring that window, we could call the driver's -\u003edisconnect routine\nbefore its -\u003ebind routine.  To prevent this from happening, it will be\nnecessary to prevent a UDC from connecting while it has no gadget\ndriver.  This should be done already but it doesn't seem to be;\ncurrently usb_gadget_connect() has no check for this.  Such a check\nwill have to be added later.\n\nSome degree of mutual exclusion is required in soft_connect_store(),\nwhich can dereference udc-\u003edriver at arbitrary times since it is a\nsysfs callback.  The solution here is to acquire the gadget's device\nlock rather than the udc_mutex.  Since the driver core guarantees that\nthe device lock is always held during driver binding and unbinding,\nthis will make the accesses in soft_connect_store() mutually exclusive\nwith any changes to udc-\u003edriver.\n\nLastly, it turns out there is one place which should hold the\nudc_mutex but currently does not: The function_show() routine needs\nprotection while it dereferences udc-\u003edriver.  The missing lock and\nunlock calls are added.","modified":"2026-04-03T13:14:32.396480Z","published":"2025-06-18T10:59:58.516Z","related":["SUSE-SU-2025:02264-1","SUSE-SU-2025:02321-1","SUSE-SU-2026:0473-1","SUSE-SU-2026:0474-1","SUSE-SU-2026:0475-1","SUSE-SU-2026:0495-1","SUSE-SU-2026:0496-1","SUSE-SU-2026:0617-1","SUSE-SU-2026:1131-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49943.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1016fc0c096c92dd0e6e0541daac7a7868169903"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1a065e4673cbdd9f222a05f85e17d78ea50c8d9c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49943.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49943"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f44b0b95d50fffeca036e1ba36770390e0b519dd"},{"fixed":"1a065e4673cbdd9f222a05f85e17d78ea50c8d9c"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2191c00855b03aa59c20e698be713d952d51fc18"},{"fixed":"1016fc0c096c92dd0e6e0541daac7a7868169903"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49943.json"}}],"schema_version":"1.7.5"}