CVE-2022-49755
- Source
- https://cve.org/CVERecord?id=CVE-2022-49755
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49755.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-49755
- Downstream
- Related
- Published
- 2025-03-27T16:43:02.950Z
- Modified
- 2026-03-20T11:47:12.019366Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: ffs: Prevent race during ffsep0queuewait
While performing fast composition switch, there is a possibility that the process of ffsep0write/ffsep0read get into a race condition due to ep0req being freed up from functionfs_unbind.
Consider the scenario that the ffsep0write calls the ffsep0queuewait by taking a lock &ffs->ev.waitq.lock. However, the functionfsunbind isn't bounded so it can go ahead and mark the ep0req to NULL, and since there is no NULL check in ffsep0queue_wait we will end up in use-after-free.
Fix this by making a serialized execution between the two functions using a mutex_lock(ffs->mutex).
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49755.json" }- References
-
- https://git.kernel.org/stable/c/6a19da111057f69214b97c62fb0ac59023970850
- https://git.kernel.org/stable/c/6aee197b7fbcd61596a78b47d553f2f99111f217
- https://git.kernel.org/stable/c/6dd9ea05534f323668db94fcc2726c7a84547e78
- https://git.kernel.org/stable/c/a8d40942df074f4ebcb9bd3413596d92f323b064
- https://git.kernel.org/stable/c/ae8e136bcaae96163b5821984de1036efc9abb1a
- https://git.kernel.org/stable/c/e9036e951f93fb8d7b5e9d6e2c7f94a4da312ae4
- https://git.kernel.org/stable/c/facf353c9e8d7885b686d9a4b173d4e0af6441d2
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49755.json
- https://nvd.nist.gov/vuln/detail/CVE-2022-49755
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedddf8abd2599491cbad959c700b90ba72a5dce8d0Fixedfacf353c9e8d7885b686d9a4b173d4e0af6441d2Fixede9036e951f93fb8d7b5e9d6e2c7f94a4da312ae4Fixeda8d40942df074f4ebcb9bd3413596d92f323b064Fixed6dd9ea05534f323668db94fcc2726c7a84547e78Fixedae8e136bcaae96163b5821984de1036efc9abb1aFixed6aee197b7fbcd61596a78b47d553f2f99111f217Fixed6a19da111057f69214b97c62fb0ac59023970850