CVE-2023-53045

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: u_audio: don&amp;#39;t let userspace block driver unbind<br /> <br /> In the unbind callback for f_uac1 and f_uac2, a call to snd_card_free()<br /> via g_audio_cleanup() will disconnect the card and then wait for all<br /> resources to be released, which happens when the refcount falls to zero.<br /> Since userspace can keep the refcount incremented by not closing the<br /> relevant file descriptor, the call to unbind may block indefinitely.<br /> This can cause a deadlock during reboot, as evidenced by the following<br /> blocked task observed on my machine:<br /> <br /> task:reboot state:D stack:0 pid:2827 ppid:569 flags:0x0000000c<br /> Call trace:<br /> __switch_to+0xc8/0x140<br /> __schedule+0x2f0/0x7c0<br /> schedule+0x60/0xd0<br /> schedule_timeout+0x180/0x1d4<br /> wait_for_completion+0x78/0x180<br /> snd_card_free+0x90/0xa0<br /> g_audio_cleanup+0x2c/0x64<br /> afunc_unbind+0x28/0x60<br /> ...<br /> kernel_restart+0x4c/0xac<br /> __do_sys_reboot+0xcc/0x1ec<br /> __arm64_sys_reboot+0x28/0x30<br /> invoke_syscall+0x4c/0x110<br /> ...<br /> <br /> The issue can also be observed by opening the card with arecord and<br /> then stopping the process through the shell before unbinding:<br /> <br /> # arecord -D hw:UAC2Gadget -f S32_LE -c 2 -r 48000 /dev/null<br /> Recording WAVE &amp;#39;/dev/null&amp;#39; : Signed 32 bit Little Endian, Rate 48000 Hz, Stereo<br /> ^Z[1]+ Stopped arecord -D hw:UAC2Gadget -f S32_LE -c 2 -r 48000 /dev/null<br /> # echo gadget.0 &gt; /sys/bus/gadget/drivers/configfs-gadget/unbind<br /> (observe that the unbind command never finishes)<br /> <br /> Fix the problem by using snd_card_free_when_closed() instead, which will<br /> still disconnect the card as desired, but defer the task of freeing the<br /> resources to the core once userspace closes its file descriptor.