github - ghsa-cf5g-vjxj-5fc7

ghsa-cf5g-vjxj-5fc7

Vulnerability from github

Published

2025-10-22 15:31

Modified

2025-10-22 15:31

Details

In the Linux kernel, the following vulnerability has been resolved:

USB: gadget: Fix the memory leak in raw_gadget driver

Currently, increasing raw_dev->count happens before invoke the raw_queue_event(), if the raw_queue_event() return error, invoke raw_release() will not trigger the dev_free() to be called.

[ 268.905865][ T5067] raw-gadget.0 gadget.0: failed to queue event [ 268.912053][ T5067] udc dummy_udc.0: failed to start USB Raw Gadget: -12 [ 268.918885][ T5067] raw-gadget.0: probe of gadget.0 failed with error -12 [ 268.925956][ T5067] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 268.934657][ T5067] misc raw-gadget: fail, usb_gadget_register_driver returned -16

BUG: memory leak

[] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 [] kmalloc include/linux/slab.h:582 [inline] [] kzalloc include/linux/slab.h:703 [inline] [] dev_new drivers/usb/gadget/legacy/raw_gadget.c:191 [inline] [] raw_open+0x45/0x110 drivers/usb/gadget/legacy/raw_gadget.c:385 [] misc_open+0x1a9/0x1f0 drivers/char/misc.c:165

[] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 [] kmalloc include/linux/slab.h:582 [inline] [] raw_ioctl_init+0xdf/0x410 drivers/usb/gadget/legacy/raw_gadget.c:460 [] raw_ioctl+0x5f9/0x1120 drivers/usb/gadget/legacy/raw_gadget.c:1250 [] vfs_ioctl fs/ioctl.c:51 [inline]

[] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 [] kmalloc include/linux/slab.h:582 [inline] [] kzalloc include/linux/slab.h:703 [inline] [] dummy_alloc_request+0x5a/0xe0 drivers/usb/gadget/udc/dummy_hcd.c:665 [] usb_ep_alloc_request+0x22/0xd0 drivers/usb/gadget/udc/core.c:196 [] gadget_bind+0x6d/0x370 drivers/usb/gadget/legacy/raw_gadget.c:292

This commit therefore invoke kref_get() under the condition that raw_queue_event() return success.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-53693"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-22T14:15:43Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: Fix the memory leak in raw_gadget driver\n\nCurrently, increasing raw_dev-\u003ecount happens before invoke the\nraw_queue_event(), if the raw_queue_event() return error, invoke\nraw_release() will not trigger the dev_free() to be called.\n\n[  268.905865][ T5067] raw-gadget.0 gadget.0: failed to queue event\n[  268.912053][ T5067] udc dummy_udc.0: failed to start USB Raw Gadget: -12\n[  268.918885][ T5067] raw-gadget.0: probe of gadget.0 failed with error -12\n[  268.925956][ T5067] UDC core: USB Raw Gadget: couldn\u0027t find an available UDC or it\u0027s busy\n[  268.934657][ T5067] misc raw-gadget: fail, usb_gadget_register_driver returned -16\n\nBUG: memory leak\n\n[\u003cffffffff8154bf94\u003e] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076\n[\u003cffffffff8347eb55\u003e] kmalloc include/linux/slab.h:582 [inline]\n[\u003cffffffff8347eb55\u003e] kzalloc include/linux/slab.h:703 [inline]\n[\u003cffffffff8347eb55\u003e] dev_new drivers/usb/gadget/legacy/raw_gadget.c:191 [inline]\n[\u003cffffffff8347eb55\u003e] raw_open+0x45/0x110 drivers/usb/gadget/legacy/raw_gadget.c:385\n[\u003cffffffff827d1d09\u003e] misc_open+0x1a9/0x1f0 drivers/char/misc.c:165\n\n[\u003cffffffff8154bf94\u003e] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076\n[\u003cffffffff8347cd2f\u003e] kmalloc include/linux/slab.h:582 [inline]\n[\u003cffffffff8347cd2f\u003e] raw_ioctl_init+0xdf/0x410 drivers/usb/gadget/legacy/raw_gadget.c:460\n[\u003cffffffff8347dfe9\u003e] raw_ioctl+0x5f9/0x1120 drivers/usb/gadget/legacy/raw_gadget.c:1250\n[\u003cffffffff81685173\u003e] vfs_ioctl fs/ioctl.c:51 [inline]\n\n[\u003cffffffff8154bf94\u003e] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076\n[\u003cffffffff833ecc6a\u003e] kmalloc include/linux/slab.h:582 [inline]\n[\u003cffffffff833ecc6a\u003e] kzalloc include/linux/slab.h:703 [inline]\n[\u003cffffffff833ecc6a\u003e] dummy_alloc_request+0x5a/0xe0 drivers/usb/gadget/udc/dummy_hcd.c:665\n[\u003cffffffff833e9132\u003e] usb_ep_alloc_request+0x22/0xd0 drivers/usb/gadget/udc/core.c:196\n[\u003cffffffff8347f13d\u003e] gadget_bind+0x6d/0x370 drivers/usb/gadget/legacy/raw_gadget.c:292\n\nThis commit therefore invoke kref_get() under the condition that\nraw_queue_event() return success.",
  "id": "GHSA-cf5g-vjxj-5fc7",
  "modified": "2025-10-22T15:31:10Z",
  "published": "2025-10-22T15:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53693"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f7a2b567197798da7bfa2252f4485c0ca6c6266"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/68e6287ac61dc22513cd39f02b9ac1fef28513e4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/83e30f2bf86ef7c38fbd476ed81a88522b620628"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9934e5d07c0dc294169a7d52f6309f35cd6d7755"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/de77000c1923d7942f9b4f08447c8feeae1c0f33"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2023-53693 (GCVE-0-2023-53693)

Vulnerability from cvelistv5

Published

2025-10-22 13:23

Modified

2025-10-30 19:33

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: USB: gadget: Fix the memory leak in raw_gadget driver Currently, increasing raw_dev->count happens before invoke the raw_queue_event(), if the raw_queue_event() return error, invoke raw_release() will not trigger the dev_free() to be called. [ 268.905865][ T5067] raw-gadget.0 gadget.0: failed to queue event [ 268.912053][ T5067] udc dummy_udc.0: failed to start USB Raw Gadget: -12 [ 268.918885][ T5067] raw-gadget.0: probe of gadget.0 failed with error -12 [ 268.925956][ T5067] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 268.934657][ T5067] misc raw-gadget: fail, usb_gadget_register_driver returned -16 BUG: memory leak [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 [<ffffffff8347eb55>] kmalloc include/linux/slab.h:582 [inline] [<ffffffff8347eb55>] kzalloc include/linux/slab.h:703 [inline] [<ffffffff8347eb55>] dev_new drivers/usb/gadget/legacy/raw_gadget.c:191 [inline] [<ffffffff8347eb55>] raw_open+0x45/0x110 drivers/usb/gadget/legacy/raw_gadget.c:385 [<ffffffff827d1d09>] misc_open+0x1a9/0x1f0 drivers/char/misc.c:165 [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 [<ffffffff8347cd2f>] kmalloc include/linux/slab.h:582 [inline] [<ffffffff8347cd2f>] raw_ioctl_init+0xdf/0x410 drivers/usb/gadget/legacy/raw_gadget.c:460 [<ffffffff8347dfe9>] raw_ioctl+0x5f9/0x1120 drivers/usb/gadget/legacy/raw_gadget.c:1250 [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline] [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 [<ffffffff833ecc6a>] kmalloc include/linux/slab.h:582 [inline] [<ffffffff833ecc6a>] kzalloc include/linux/slab.h:703 [inline] [<ffffffff833ecc6a>] dummy_alloc_request+0x5a/0xe0 drivers/usb/gadget/udc/dummy_hcd.c:665 [<ffffffff833e9132>] usb_ep_alloc_request+0x22/0xd0 drivers/usb/gadget/udc/core.c:196 [<ffffffff8347f13d>] gadget_bind+0x6d/0x370 drivers/usb/gadget/legacy/raw_gadget.c:292 This commit therefore invoke kref_get() under the condition that raw_queue_event() return success.

References

URL

Tags

	https://git.kernel.org/stable/c/68e6287ac61dc22513cd39f02b9ac1fef28513e4
	https://git.kernel.org/stable/c/0f7a2b567197798da7bfa2252f4485c0ca6c6266
	https://git.kernel.org/stable/c/de77000c1923d7942f9b4f08447c8feeae1c0f33
	https://git.kernel.org/stable/c/9934e5d07c0dc294169a7d52f6309f35cd6d7755
	https://git.kernel.org/stable/c/83e30f2bf86ef7c38fbd476ed81a88522b620628

Impacted products

Vendor

Product

Version

Linux

Version: f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10
Version: f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10
Version: f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10
Version: f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10
Version: f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10

Linux

Version: 5.7

Show details on NVD website