CVE-2023-53580: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-53580 is a vulnerability discovered in the Linux kernel affecting the USB Gadget core component. The issue was identified when a kernel panic occurred during the UVC gadget driver removal from a gadget's configuration. The vulnerability was reported by Avichal Rakesh and involves a complex interaction between the kernel driver and a userspace component (NVD).

The vulnerability stems from a deadlock condition in the USB Gadget core component. The issue occurs when gadgetunbinddriver() calls driver->unbind() while holding the udc->connectlock mutex, and usbgadget_deactivate() attempts to acquire the same mutex. The vulnerability has been assigned a CVSS v3.1 base score of 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) (Red Hat).

When exploited, this vulnerability can lead to a kernel panic in affected systems. The issue specifically impacts systems utilizing the UVC gadget driver functionality in the Linux kernel, potentially causing system instability and denial of service conditions (NVD).

The fix involves modifying gadgetunbinddriver() to release the mutex before performing the unbind callback and reacquiring it afterward. Additionally, comments have been added to usbgadgetactivate() and usbgadgetdeactivate() to prevent similar issues in the future by clarifying that these functions must not be called from a gadget driver's ->disconnect() callback (NVD).