Unrated severityNVD Advisory· Published Aug 21, 2024· Updated May 4, 2025
USB: gadgetfs: Fix race between mounting and unmounting
CVE-2022-48869
Description
In the Linux kernel, the following vulnerability has been resolved:
USB: gadgetfs: Fix race between mounting and unmounting
The syzbot fuzzer and Gerald Lee have identified a use-after-free bug in the gadgetfs driver, involving processes concurrently mounting and unmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super() can race with gadgetfs_kill_sb(), causing the latter to deallocate the_device while the former is using it. The output from KASAN says, in part:
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline] BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline] BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline] BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline] BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline] BUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline] BUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 Write of size 4 at addr ffff8880276d7840 by task syz-executor126/18689
CPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace:
... atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline] __refcount_sub_and_test include/linux/refcount.h:272 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] put_dev drivers/usb/gadget/legacy/inode.c:159 [inline] gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 vfs_get_super fs/super.c:1190 [inline] get_tree_single+0xd0/0x160 fs/super.c:1207 vfs_get_tree+0x88/0x270 fs/super.c:1531 vfs_fsconfig_locked fs/fsopen.c:232 [inline]
The simplest solution is to ensure that gadgetfs_fill_super() and gadgetfs_kill_sb() are serialized by making them both acquire a new mutex.
Affected products
97- osv-coords96 versionspkg:rpm/opensuse/dtb-aarch64&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-64kb&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-azure&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-debug&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-default-base&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-default-base&distro=openSUSE%20Leap%20Micro%205.5pkg:rpm/opensuse/kernel-default&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-default&distro=openSUSE%20Leap%20Micro%205.5pkg:rpm/opensuse/kernel-docs&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-kvmsmall&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-obs-build&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-obs-qa&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-rt_debug&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-rt&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-rt&distro=openSUSE%20Leap%20Micro%205.5pkg:rpm/opensuse/kernel-source-azure&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-source&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-source-rt&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-syms-azure&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-syms&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-syms-rt&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kernel-zfcpdump&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kernel-azure&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP5pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/kernel-default-base&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/kernel-default-base&distro=SUSE%20Manager%20Server%204.3pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP5pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP4pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP5pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Legacy%2015%20SP5pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP5pkg:rpm/suse/kernel-default&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/kernel-default&distro=SUSE%20Manager%20Server%204.3pkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/kernel-livepatch-SLE15-SP4_Update_31&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP4pkg:rpm/suse/kernel-livepatch-SLE15-SP5-RT_Update_19&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP5pkg:rpm/suse/kernel-livepatch-SLE15-SP5_Update_19&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP5pkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/kernel-rt_debug&distro=SUSE%20Real%20Time%20Module%2015%20SP5pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/kernel-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP5pkg:rpm/suse/kernel-source-azure&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP5pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/kernel-source&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/kernel-source&distro=SUSE%20Manager%20Server%204.3pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP5pkg:rpm/suse/kernel-syms-azure&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP5pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/kernel-syms&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/kernel-syms&distro=SUSE%20Manager%20Server%204.3pkg:rpm/suse/kernel-syms-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP5pkg:rpm/suse/kernel-zfcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/kernel-zfcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kernel-zfcpdump&distro=SUSE%20Manager%20Server%204.3
< 5.14.21-150500.55.80.1+ 95 more
- (no CPE)range: < 5.14.21-150500.55.80.1
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150500.33.66.1
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150500.55.80.2.150500.6.35.6
- (no CPE)range: < 5.14.21-150500.55.80.2.150500.6.35.6
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150500.55.80.1
- (no CPE)range: < 5.14.21-150500.55.80.1
- (no CPE)range: < 5.14.21-150500.13.67.3
- (no CPE)range: < 5.14.21-150500.13.67.3
- (no CPE)range: < 5.14.21-150500.13.67.3
- (no CPE)range: < 5.14.21-150500.33.66.1
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150500.13.67.3
- (no CPE)range: < 5.14.21-150500.33.66.1
- (no CPE)range: < 5.14.21-150500.55.80.1
- (no CPE)range: < 5.14.21-150500.13.67.1
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150500.33.66.1
- (no CPE)range: < 5.14.21-150400.24.133.2.150400.24.64.5
- (no CPE)range: < 5.14.21-150400.24.133.2.150400.24.64.5
- (no CPE)range: < 5.14.21-150400.24.133.2.150400.24.64.5
- (no CPE)range: < 5.14.21-150400.24.133.2.150400.24.64.5
- (no CPE)range: < 5.14.21-150500.55.80.2.150500.6.35.6
- (no CPE)range: < 5.14.21-150500.55.80.2.150500.6.35.6
- (no CPE)range: < 5.14.21-150400.24.133.2.150400.24.64.5
- (no CPE)range: < 5.14.21-150400.24.133.2.150400.24.64.5
- (no CPE)range: < 5.14.21-150400.24.133.2.150400.24.64.5
- (no CPE)range: < 5.14.21-150400.24.133.2.150400.24.64.5
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150400.24.133.1
- (no CPE)range: < 5.14.21-150400.24.133.1
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150400.24.133.1
- (no CPE)range: < 5.14.21-150400.24.133.1
- (no CPE)range: < 1-150400.9.3.2
- (no CPE)range: < 1-150500.11.3.2
- (no CPE)range: < 1-150500.11.3.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150500.55.80.1
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150500.13.67.3
- (no CPE)range: < 5.14.21-150400.15.91.3
- (no CPE)range: < 5.14.21-150400.15.91.3
- (no CPE)range: < 5.14.21-150500.13.67.3
- (no CPE)range: < 5.14.21-150500.13.67.3
- (no CPE)range: < 5.14.21-150500.33.66.1
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150400.15.91.3
- (no CPE)range: < 5.14.21-150400.15.91.3
- (no CPE)range: < 5.14.21-150500.13.67.3
- (no CPE)range: < 5.14.21-150500.13.67.3
- (no CPE)range: < 5.14.21-150500.33.66.1
- (no CPE)range: < 5.14.21-150400.24.133.1
- (no CPE)range: < 5.14.21-150400.24.133.1
- (no CPE)range: < 5.14.21-150500.55.80.1
- (no CPE)range: < 5.14.21-150400.24.133.1
- (no CPE)range: < 5.14.21-150400.24.133.1
- (no CPE)range: < 5.14.21-150400.24.133.1
- (no CPE)range: < 5.14.21-150400.24.133.1
- (no CPE)range: < 5.14.21-150500.13.67.1
- (no CPE)range: < 5.14.21-150500.55.80.2
- (no CPE)range: < 5.14.21-150400.24.133.2
- (no CPE)range: < 5.14.21-150400.24.133.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/616fd34d017000ecf9097368b13d8a266f4920b3mitre
- git.kernel.org/stable/c/856e4b5e53f21edbd15d275dde62228dd94fb2b4mitre
- git.kernel.org/stable/c/9a39f4626b361ee7aa10fd990401c37ec3b466aemitre
- git.kernel.org/stable/c/a2e075f40122d8daf587db126c562a67abd69cf9mitre
- git.kernel.org/stable/c/d18dcfe9860e842f394e37ba01ca9440ab2178f4mitre
News mentions
0No linked articles in our index yet.