CVE-2023-53580

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: Gadget: core: Help prevent panic during UVC unconfigure<br /> <br /> Avichal Rakesh reported a kernel panic that occurred when the UVC<br /> gadget driver was removed from a gadget&amp;#39;s configuration. The panic<br /> involves a somewhat complicated interaction between the kernel driver<br /> and a userspace component (as described in the Link tag below), but<br /> the analysis did make one thing clear: The Gadget core should<br /> accomodate gadget drivers calling usb_gadget_deactivate() as part of<br /> their unbind procedure.<br /> <br /> Currently this doesn&amp;#39;t work. gadget_unbind_driver() calls<br /> driver-&gt;unbind() while holding the udc-&gt;connect_lock mutex, and<br /> usb_gadget_deactivate() attempts to acquire that mutex, which will<br /> result in a deadlock.<br /> <br /> The simple fix is for gadget_unbind_driver() to release the mutex when<br /> invoking the -&gt;unbind() callback. There is no particular reason for<br /> it to be holding the mutex at that time, and the mutex isn&amp;#39;t held<br /> while the -&gt;bind() callback is invoked. So we&amp;#39;ll drop the mutex<br /> before performing the unbind callback and reacquire it afterward.<br /> <br /> We&amp;#39;ll also add a couple of comments to usb_gadget_activate() and<br /> usb_gadget_deactivate(). Because they run in process context they<br /> must not be called from a gadget driver&amp;#39;s -&gt;disconnect() callback,<br /> which (according to the kerneldoc for struct usb_gadget_driver in<br /> include/linux/usb/gadget.h) may run in interrupt context. This may<br /> help prevent similar bugs from arising in the future.