CVE-2022-49943

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: gadget: Fix obscure lockdep violation for udc_mutex<br /> <br /> A recent commit expanding the scope of the udc_lock mutex in the<br /> gadget core managed to cause an obscure and slightly bizarre lockdep<br /> violation. In abbreviated form:<br /> <br /> ======================================================<br /> WARNING: possible circular locking dependency detected<br /> 5.19.0-rc7+ #12510 Not tainted<br /> ------------------------------------------------------<br /> udevadm/312 is trying to acquire lock:<br /> ffff80000aae1058 (udc_lock){+.+.}-{3:3}, at: usb_udc_uevent+0x54/0xe0<br /> <br /> but task is already holding lock:<br /> ffff000002277548 (kn-&gt;active#4){++++}-{0:0}, at: kernfs_seq_start+0x34/0xe0<br /> <br /> which lock already depends on the new lock.<br /> <br /> the existing dependency chain (in reverse order) is:<br /> <br /> -&gt; #3 (kn-&gt;active#4){++++}-{0:0}:<br />        lock_acquire+0x68/0x84<br />        __kernfs_remove+0x268/0x380<br />        kernfs_remove_by_name_ns+0x58/0xac<br />        sysfs_remove_file_ns+0x18/0x24<br />        device_del+0x15c/0x440<br /> <br /> -&gt; #2 (device_links_lock){+.+.}-{3:3}:<br />        lock_acquire+0x68/0x84<br />        __mutex_lock+0x9c/0x430<br />        mutex_lock_nested+0x38/0x64<br />        device_link_remove+0x3c/0xa0<br />        _regulator_put.part.0+0x168/0x190<br />        regulator_put+0x3c/0x54<br />        devm_regulator_release+0x14/0x20<br /> <br /> -&gt; #1 (regulator_list_mutex){+.+.}-{3:3}:<br />        lock_acquire+0x68/0x84<br />        __mutex_lock+0x9c/0x430<br />        mutex_lock_nested+0x38/0x64<br />        regulator_lock_dependent+0x54/0x284<br />        regulator_enable+0x34/0x80<br />        phy_power_on+0x24/0x130<br />        __dwc2_lowlevel_hw_enable+0x100/0x130<br />        dwc2_lowlevel_hw_enable+0x18/0x40<br />        dwc2_hsotg_udc_start+0x6c/0x2f0<br />        gadget_bind_driver+0x124/0x1f4<br /> <br /> -&gt; #0 (udc_lock){+.+.}-{3:3}:<br />        __lock_acquire+0x1298/0x20cc<br />        lock_acquire.part.0+0xe0/0x230<br />        lock_acquire+0x68/0x84<br />        __mutex_lock+0x9c/0x430<br />        mutex_lock_nested+0x38/0x64<br />        usb_udc_uevent+0x54/0xe0<br /> <br /> Evidently this was caused by the scope of udc_mutex being too large.<br /> The mutex is only meant to protect udc-&gt;driver along with a few other<br /> things. As far as I can tell, there&amp;#39;s no reason for the mutex to be<br /> held while the gadget core calls a gadget driver&amp;#39;s -&gt;bind or -&gt;unbind<br /> routine, or while a UDC is being started or stopped. (This accounts<br /> for link #1 in the chain above, where the mutex is held while the<br /> dwc2_hsotg_udc is started as part of driver probing.)<br /> <br /> Gadget drivers&amp;#39; -&gt;disconnect callbacks are problematic. Even though<br /> usb_gadget_disconnect() will now acquire the udc_mutex, there&amp;#39;s a<br /> window in usb_gadget_bind_driver() between the times when the mutex is<br /> released and the -&gt;bind callback is invoked. If a disconnect occurred<br /> during that window, we could call the driver&amp;#39;s -&gt;disconnect routine<br /> before its -&gt;bind routine. To prevent this from happening, it will be<br /> necessary to prevent a UDC from connecting while it has no gadget<br /> driver. This should be done already but it doesn&amp;#39;t seem to be;<br /> currently usb_gadget_connect() has no check for this. Such a check<br /> will have to be added later.<br /> <br /> Some degree of mutual exclusion is required in soft_connect_store(),<br /> which can dereference udc-&gt;driver at arbitrary times since it is a<br /> sysfs callback. The solution here is to acquire the gadget&amp;#39;s device<br /> lock rather than the udc_mutex. Since the driver core guarantees that<br /> the device lock is always held during driver binding and unbinding,<br /> this will make the accesses in soft_connect_store() mutually exclusive<br /> with any changes to udc-&gt;driver.<br /> <br /> Lastly, it turns out there is one place which should hold the<br /> udc_mutex but currently does not: The function_show() routine needs<br /> protection while it dereferences udc-&gt;driver. The missing lock and<br /> unlock calls are added.