Linux Kernel USB Gadget Audio Driver Unbind Blocking Vulnerability

A vulnerability in the Linux kernel's USB gadget audio driver can lead to a deadlock during system reboot. This issue arises because the unbind callback for the UAC1 and UAC2 functions calls snd_card_free(), which disconnects the audio card and waits for all resources to be released. However, userspace can prevent the refcount from falling to zero by not closing the relevant file descriptor, causing the unbind process to block indefinitely. This blockage can interrupt the reboot process, as demonstrated by a recorded task state indicating a stalled reboot operation. The issue can also be replicated by opening the audio card with arecord, pausing the recording, and then issuing an unbind command, which will not complete.

Impact

This vulnerability can cause a system reboot to hang indefinitely, leading to a failure in the reboot process.

Reproduction

To reproduce this vulnerability, first open the audio card using the 'arecord' command with the appropriate parameters for the UAC2 gadget. Once the recording has started, pause the process using the shell. After stopping the recording, issue an unbind command for the gadget driver. The unbind process will hang and not finish, causing a deadlock.

Remediation

The vulnerability has been addressed by modifying the unbind process to use 'snd_card_free_when_closed()', which allows the audio card to be disconnected while deferring the resource cleanup until userspace closes the file descriptor.