CVE-2022-50202 Affecting kernel-zfcpdump-modules-extra package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS9-KERNELZFCPDUMPMODULESEXTRA-10458813
- published20 Jun 2025
- disclosed18 Jun 2025
Introduced: 18 Jun 2025
NewCVE-2022-50202 (opens in a new tab)How to fix?
There is no fixed version for Centos:9 kernel-zfcpdump-modules-extra.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-zfcpdump-modules-extra package and not the kernel-zfcpdump-modules-extra package as distributed by Centos.
See How to fix? for Centos:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
PM: hibernate: defer device probing when resuming from hibernation
syzbot is reporting hung task at misc_open() [1], for there is a race window of AB-BA deadlock which involves probe_count variable. Currently wait_for_device_probe() from snapshot_open() from misc_open() can sleep forever with misc_mtx held if probe_count cannot become 0.
When a device is probed by hub_event() work function, probe_count is incremented before the probe function starts, and probe_count is decremented after the probe function completed.
There are three cases that can prevent probe_count from dropping to 0.
(a) A device being probed stopped responding (i.e. broken/malicious hardware).
(b) A process emulating a USB device using /dev/raw-gadget interface stopped responding for some reason.
(c) New device probe requests keeps coming in before existing device probe requests complete.
The phenomenon syzbot is reporting is (b). A process which is holding system_transition_mutex and misc_mtx is waiting for probe_count to become 0 inside wait_for_device_probe(), but the probe function which is called from hub_event() work function is waiting for the processes which are blocked at mutex_lock(&misc_mtx) to respond via /dev/raw-gadget interface.
This patch mitigates (b) by deferring wait_for_device_probe() from snapshot_open() to snapshot_write() and snapshot_ioctl(). Please note that the possibility of (b) remains as long as any thread which is emulating a USB device via /dev/raw-gadget interface can be blocked by uninterruptible blocking operations (e.g. mutex_lock()).
Please also note that (a) and (c) are not addressed. Regarding (c), we should change the code to wait for only one device which contains the image for resuming from hibernation. I don't know how to address (a), for use of timeout for wait_for_device_probe() might result in loss of user data in the image. Maybe we should require the userland to wait for the image device before opening /dev/snapshot interface.
References
- https://access.redhat.com/security/cve/CVE-2022-50202
- https://git.kernel.org/stable/c/003a456ae6f70bb97e436e02fc5105be577c1570
- https://git.kernel.org/stable/c/2f0e18e0db42f4f8bc87d3d98333680065ceeff8
- https://git.kernel.org/stable/c/3c48d3067eaf878642276f053575a5c642600a50
- https://git.kernel.org/stable/c/5a283b59bce72c05c60e9f0fa92a28b5b850d8bb
- https://git.kernel.org/stable/c/8386c414e27caba8501119948e9551e52b527f59
- https://git.kernel.org/stable/c/8c90947e5f1801e6c7120021c6ea0f3ad6a4eb91
- https://git.kernel.org/stable/c/b8e1ae9433d7bd95f2dcc044a7a6f20a4c40d258
- https://git.kernel.org/stable/c/f7042cf9dd40733f387b7cac021e626c74b8856f