CVE-2023-53045

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: u_audio: don't let userspace block driver unbind

In the unbind callback for fuac1 and fuac2, a call to sndcardfree() via gaudiocleanup() will disconnect the card and then wait for all resources to be released, which happens when the refcount falls to zero. Since userspace can keep the refcount incremented by not closing the relevant file descriptor, the call to unbind may block indefinitely. This can cause a deadlock during reboot, as evidenced by the following blocked task observed on my machine:

task:reboot state:D stack:0 pid:2827 ppid:569 flags:0x0000000c Call trace: _switchto+0xc8/0x140 _schedule+0x2f0/0x7c0 schedule+0x60/0xd0 scheduletimeout+0x180/0x1d4 waitforcompletion+0x78/0x180 sndcardfree+0x90/0xa0 gaudiocleanup+0x2c/0x64 afuncunbind+0x28/0x60 ... kernelrestart+0x4c/0xac _dosysreboot+0xcc/0x1ec _arm64sysreboot+0x28/0x30 invoke_syscall+0x4c/0x110 ...

The issue can also be observed by opening the card with arecord and then stopping the process through the shell before unbinding:

# arecord -D hw:UAC2Gadget -f S32LE -c 2 -r 48000 /dev/null Recording WAVE '/dev/null' : Signed 32 bit Little Endian, Rate 48000 Hz, Stereo ^Z[1]+ Stopped arecord -D hw:UAC2Gadget -f S32LE -c 2 -r 48000 /dev/null # echo gadget.0 > /sys/bus/gadget/drivers/configfs-gadget/unbind (observe that the unbind command never finishes)

Fix the problem by using sndcardfreewhenclosed() instead, which will still disconnect the card as desired, but defer the task of freeing the resources to the core once userspace closes its file descriptor.