CVE-2022-49980

In the Linux kernel, the following vulnerability has been resolved:

USB: gadget: Fix use-after-free Read in usbudcuevent()

The syzbot fuzzer found a race between uevent callbacks and gadget driver unregistration that can cause a use-after-free bug:

BUG: KASAN: use-after-free in usbudcuevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 Read of size 8 at addr ffff888078ce2050 by task udevd/2968

CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xcd/0x134 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:317 [inline] printreport.cold+0x2ba/0x719 mm/kasan/report.c:433 kasanreport+0xbe/0x1f0 mm/kasan/report.c:495 usbudcuevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732

dev_uevent+0x290/0x770 drivers/base/core.c:2424

The bug occurs because usbudcuevent() dereferences udc->driver but does so without acquiring the udc_lock mutex, which protects this field. If the gadget driver is unbound from the udc concurrently with uevent processing, the driver structure may be accessed after it has been deallocated.

To prevent the race, we make sure that the routine holds the mutex around the racing accesses.