Linux Kernel USB Core Nested Device-Reset Recursive Locking Vulnerability

A vulnerability in the Linux kernel's USB core has been identified, specifically within the USB storage driver. This issue involves a recursive locking violation caused by nested device-reset calls. The vulnerability arises when a USB device is being reset while another reset is already in progress, leading to a potential deadlock situation. The problem was discovered through automated kernel fuzzing, which revealed that the USB core does not currently prevent such nested reset operations. The vulnerability affects Linux kernel versions 5.18.0 and prior.

Impact

Exploitation of this vulnerability can lead to a recursive locking violation, causing a deadlock where one task is waiting for a lock held by another task, which can disrupt normal processing and potentially cause system instability.

Reproduction

The vulnerability can be reproduced by using a USB device with a driver that does not implement pre-reset or post-reset callbacks. When the driver is unbound from a composite device, its remove routine can inadvertently trigger a USB reset while another reset is already being processed, creating a nested reset scenario that the USB core does not handle properly.

Remediation

The vulnerability has been addressed in the Linux kernel by adding a reset-in-progress flag to the USB core, which prevents nested reset calls from occurring.