CVE-2022-49285 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
iio: accel: mma8452: use the correct logic to get mma8452_data
The original logic to get mma8452_data is wrong, the *dev point to the device belong to iio_dev. we can't use this dev to find the correct i2c_client. The original logic happen to work because it finally use dev->driver_data to get iio_dev. Here use the API to_i2c_client() is wrong and make reader confuse. To correct the logic, it should be like this
struct mma8452_data *data = iio_priv(dev_get_drvdata(dev));
But after commit 8b7651f25962 ("iio: iio_device_alloc(): Remove unnecessary self drvdata"), the upper logic also can't work. When try to show the avialable scale in userspace, will meet kernel dump, kernel handle NULL pointer dereference.
So use dev_to_iio_dev() to correct the logic.
Dual fixes tags as the second reflects when the bug was exposed, whilst the first reflects when the original bug was introduced.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/16/2026
The vulnerability CVE-2022-49285 affects the Linux kernel's industrial I/O (IIO) subsystem, specifically within the mma8452 accelerometer driver. This issue stems from incorrect device data retrieval logic that fundamentally undermines the proper functioning of the sensor driver. The mma8452 is a popular 3-axis accelerometer commonly used in mobile devices and embedded systems for motion detection and orientation sensing. The flaw manifests in how the driver accesses the mma8452_data structure, which contains critical configuration and operational parameters for the accelerometer device.
The core technical problem lies in the improper handling of device pointer dereferencing within the driver's data access mechanisms. Originally, the code attempted to use the device pointer to locate the correct i2c_client structure, which is fundamentally flawed since the device pointer points to the IIO device rather than the I2C client. This incorrect approach worked by accident due to the eventual use of dev->driver_data to retrieve the iio_dev, creating a confusing and unreliable code path that violates proper kernel driver design principles. The problematic implementation fails to adhere to the established patterns defined by the Linux kernel's device model and IIO subsystem interfaces, creating potential for undefined behavior and system instability.
The operational impact of this vulnerability becomes particularly severe when userspace applications attempt to query the available scales of the accelerometer sensor. This seemingly simple operation triggers a kernel panic due to a NULL pointer dereference, as the corrected logic fails to properly initialize or access the mma8452_data structure. The kernel dump that results from this condition represents a critical system failure that can lead to complete system crashes and loss of device functionality. This vulnerability directly impacts devices relying on the mma8452 accelerometer for motion sensing capabilities, potentially affecting mobile devices, tablets, and embedded systems where such sensors are integral to device operation.
The fix implemented addresses the root cause by utilizing the proper kernel API dev_to_iio_dev() which correctly maps the device pointer to the IIO device structure. This approach aligns with the established patterns within the Linux kernel's IIO subsystem and ensures proper data structure access. The vulnerability's resolution demonstrates the importance of maintaining proper device model relationships and following kernel development best practices. The fix also reflects the evolution of kernel APIs, as evidenced by the reference to commit 8b7651f25962 that removed unnecessary self driver data, highlighting how changes in kernel infrastructure can expose previously hidden bugs. This vulnerability exemplifies the challenges in maintaining backward compatibility while evolving kernel subsystems and underscores the critical need for proper kernel driver validation and testing.
The technical nature of this vulnerability corresponds to CWE-476, which addresses NULL pointer dereference issues in software development. From an ATT&CK perspective, this represents a system crash or hang technique that can be leveraged for denial-of-service attacks against Linux-based systems. The vulnerability also ties into the broader category of kernel-level privilege escalation and system stability issues that can be exploited to compromise device functionality. The fix demonstrates proper adherence to the IIO subsystem's design patterns and kernel device model conventions, ensuring that driver developers properly utilize the available APIs rather than implementing ad-hoc solutions that can introduce instability. This correction ultimately strengthens the overall reliability of the Linux kernel's IIO subsystem and protects against potential exploitation scenarios that could disrupt device operations through controlled system crashes.