Search criteria
12969 vulnerabilities by linux
CVE-2023-53866 (GCVE-0-2023-53866)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: soc-compress: Reposition and add pcm_mutex
If panic_on_warn is set and compress stream(DPCM) is started,
then kernel panic occurred because card->pcm_mutex isn't held appropriately.
In the following functions, warning were issued at this line
"snd_soc_dpcm_mutex_assert_held".
static int dpcm_be_connect(struct snd_soc_pcm_runtime *fe,
struct snd_soc_pcm_runtime *be, int stream)
{
...
snd_soc_dpcm_mutex_assert_held(fe);
...
}
void dpcm_be_disconnect(struct snd_soc_pcm_runtime *fe, int stream)
{
...
snd_soc_dpcm_mutex_assert_held(fe);
...
}
void snd_soc_runtime_action(struct snd_soc_pcm_runtime *rtd,
int stream, int action)
{
...
snd_soc_dpcm_mutex_assert_held(rtd);
...
}
int dpcm_dapm_stream_event(struct snd_soc_pcm_runtime *fe, int dir,
int event)
{
...
snd_soc_dpcm_mutex_assert_held(fe);
...
}
These functions are called by soc_compr_set_params_fe, soc_compr_open_fe
and soc_compr_free_fe
without pcm_mutex locking. And this is call stack.
[ 414.527841][ T2179] pc : dpcm_process_paths+0x5a4/0x750
[ 414.527848][ T2179] lr : dpcm_process_paths+0x37c/0x750
[ 414.527945][ T2179] Call trace:
[ 414.527949][ T2179] dpcm_process_paths+0x5a4/0x750
[ 414.527955][ T2179] soc_compr_open_fe+0xb0/0x2cc
[ 414.527972][ T2179] snd_compr_open+0x180/0x248
[ 414.527981][ T2179] snd_open+0x15c/0x194
[ 414.528003][ T2179] chrdev_open+0x1b0/0x220
[ 414.528023][ T2179] do_dentry_open+0x30c/0x594
[ 414.528045][ T2179] vfs_open+0x34/0x44
[ 414.528053][ T2179] path_openat+0x914/0xb08
[ 414.528062][ T2179] do_filp_open+0xc0/0x170
[ 414.528068][ T2179] do_sys_openat2+0x94/0x18c
[ 414.528076][ T2179] __arm64_sys_openat+0x78/0xa4
[ 414.528084][ T2179] invoke_syscall+0x48/0x10c
[ 414.528094][ T2179] el0_svc_common+0xbc/0x104
[ 414.528099][ T2179] do_el0_svc+0x34/0xd8
[ 414.528103][ T2179] el0_svc+0x34/0xc4
[ 414.528125][ T2179] el0t_64_sync_handler+0x8c/0xfc
[ 414.528133][ T2179] el0t_64_sync+0x1a0/0x1a4
[ 414.528142][ T2179] Kernel panic - not syncing: panic_on_warn set ...
So, I reposition and add pcm_mutex to resolve lockdep error.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9576b7ccc20365d27c26c494651c89360a85bbdc
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9a9942cbdb7c3f41452f7bc4a9ff9f0b45eb3651 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 37a3eb6054d17676ce2a0bb5dd1fbf7733ecfa7d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < aa9ff6a4955fdba02b54fbc4386db876603703b7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/soc-compress.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9576b7ccc20365d27c26c494651c89360a85bbdc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9a9942cbdb7c3f41452f7bc4a9ff9f0b45eb3651",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "37a3eb6054d17676ce2a0bb5dd1fbf7733ecfa7d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aa9ff6a4955fdba02b54fbc4386db876603703b7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/soc-compress.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: soc-compress: Reposition and add pcm_mutex\n\nIf panic_on_warn is set and compress stream(DPCM) is started,\nthen kernel panic occurred because card-\u003epcm_mutex isn\u0027t held appropriately.\nIn the following functions, warning were issued at this line\n\"snd_soc_dpcm_mutex_assert_held\".\n\nstatic int dpcm_be_connect(struct snd_soc_pcm_runtime *fe,\n\t\tstruct snd_soc_pcm_runtime *be, int stream)\n{\n\t...\n\tsnd_soc_dpcm_mutex_assert_held(fe);\n\t...\n}\n\nvoid dpcm_be_disconnect(struct snd_soc_pcm_runtime *fe, int stream)\n{\n\t...\n\tsnd_soc_dpcm_mutex_assert_held(fe);\n\t...\n}\n\nvoid snd_soc_runtime_action(struct snd_soc_pcm_runtime *rtd,\n\t\t\t int stream, int action)\n{\n\t...\n\tsnd_soc_dpcm_mutex_assert_held(rtd);\n\t...\n}\n\nint dpcm_dapm_stream_event(struct snd_soc_pcm_runtime *fe, int dir,\n\tint event)\n{\n\t...\n\tsnd_soc_dpcm_mutex_assert_held(fe);\n\t...\n}\n\nThese functions are called by soc_compr_set_params_fe, soc_compr_open_fe\nand soc_compr_free_fe\nwithout pcm_mutex locking. And this is call stack.\n\n[ 414.527841][ T2179] pc : dpcm_process_paths+0x5a4/0x750\n[ 414.527848][ T2179] lr : dpcm_process_paths+0x37c/0x750\n[ 414.527945][ T2179] Call trace:\n[ 414.527949][ T2179] dpcm_process_paths+0x5a4/0x750\n[ 414.527955][ T2179] soc_compr_open_fe+0xb0/0x2cc\n[ 414.527972][ T2179] snd_compr_open+0x180/0x248\n[ 414.527981][ T2179] snd_open+0x15c/0x194\n[ 414.528003][ T2179] chrdev_open+0x1b0/0x220\n[ 414.528023][ T2179] do_dentry_open+0x30c/0x594\n[ 414.528045][ T2179] vfs_open+0x34/0x44\n[ 414.528053][ T2179] path_openat+0x914/0xb08\n[ 414.528062][ T2179] do_filp_open+0xc0/0x170\n[ 414.528068][ T2179] do_sys_openat2+0x94/0x18c\n[ 414.528076][ T2179] __arm64_sys_openat+0x78/0xa4\n[ 414.528084][ T2179] invoke_syscall+0x48/0x10c\n[ 414.528094][ T2179] el0_svc_common+0xbc/0x104\n[ 414.528099][ T2179] do_el0_svc+0x34/0xd8\n[ 414.528103][ T2179] el0_svc+0x34/0xc4\n[ 414.528125][ T2179] el0t_64_sync_handler+0x8c/0xfc\n[ 414.528133][ T2179] el0t_64_sync+0x1a0/0x1a4\n[ 414.528142][ T2179] Kernel panic - not syncing: panic_on_warn set ...\n\nSo, I reposition and add pcm_mutex to resolve lockdep error."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:35.817Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9576b7ccc20365d27c26c494651c89360a85bbdc"
},
{
"url": "https://git.kernel.org/stable/c/9a9942cbdb7c3f41452f7bc4a9ff9f0b45eb3651"
},
{
"url": "https://git.kernel.org/stable/c/37a3eb6054d17676ce2a0bb5dd1fbf7733ecfa7d"
},
{
"url": "https://git.kernel.org/stable/c/aa9ff6a4955fdba02b54fbc4386db876603703b7"
}
],
"title": "ASoC: soc-compress: Reposition and add pcm_mutex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53866",
"datePublished": "2025-12-09T01:30:35.817Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2025-12-09T01:30:35.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53865 (GCVE-0-2023-53865)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix warning when putting transaction with qgroups enabled after abort
If we have a transaction abort with qgroups enabled we get a warning
triggered when doing the final put on the transaction, like this:
[552.6789] ------------[ cut here ]------------
[552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs]
[552.6817] Modules linked in: btrfs blake2b_generic xor (...)
[552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1
[552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs]
[552.6821] Code: bd a0 01 00 (...)
[552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286
[552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000
[552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010
[552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20
[552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70
[552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028
[552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000
[552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0
[552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[552.6822] Call Trace:
[552.6822] <TASK>
[552.6822] ? __warn+0x80/0x130
[552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs]
[552.6824] ? report_bug+0x1f4/0x200
[552.6824] ? handle_bug+0x42/0x70
[552.6824] ? exc_invalid_op+0x14/0x70
[552.6824] ? asm_exc_invalid_op+0x16/0x20
[552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs]
[552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs]
[552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40
[552.6828] ? try_to_wake_up+0x94/0x5e0
[552.6828] ? __pfx_process_timeout+0x10/0x10
[552.6828] transaction_kthread+0x103/0x1d0 [btrfs]
[552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs]
[552.6832] kthread+0xee/0x120
[552.6832] ? __pfx_kthread+0x10/0x10
[552.6832] ret_from_fork+0x29/0x50
[552.6832] </TASK>
[552.6832] ---[ end trace 0000000000000000 ]---
This corresponds to this line of code:
void btrfs_put_transaction(struct btrfs_transaction *transaction)
{
(...)
WARN_ON(!RB_EMPTY_ROOT(
&transaction->delayed_refs.dirty_extent_root));
(...)
}
The warning happens because btrfs_qgroup_destroy_extent_records(), called
in the transaction abort path, we free all entries from the rbtree
"dirty_extent_root" with rbtree_postorder_for_each_entry_safe(), but we
don't actually empty the rbtree - it's still pointing to nodes that were
freed.
So set the rbtree's root node to NULL to avoid this warning (assign
RB_ROOT).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
40ea30638d20c92b44107247415842b72c460459 , < ae91ab710d8e309f6c9eba07ce0d9d0b5d9040f0
(git)
Affected: 81f7eb00ff5bb8326e82503a32809421d14abb8a , < d2c667cc18314c9bad3ec86ae071c0342132aa09 (git) Affected: 81f7eb00ff5bb8326e82503a32809421d14abb8a , < c9060caab4135dd660c4676d1ea33a6e0d3fc09d (git) Affected: 81f7eb00ff5bb8326e82503a32809421d14abb8a , < 89e994688e965813ec0a09fb30b87fb8cee06474 (git) Affected: 81f7eb00ff5bb8326e82503a32809421d14abb8a , < 62dd82bc7a90b5052c062a0ad5be6d8a479a3cfb (git) Affected: 81f7eb00ff5bb8326e82503a32809421d14abb8a , < aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 (git) Affected: 4e2e49d4211db43e0ec932579dab6a969e7e8df1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/qgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae91ab710d8e309f6c9eba07ce0d9d0b5d9040f0",
"status": "affected",
"version": "40ea30638d20c92b44107247415842b72c460459",
"versionType": "git"
},
{
"lessThan": "d2c667cc18314c9bad3ec86ae071c0342132aa09",
"status": "affected",
"version": "81f7eb00ff5bb8326e82503a32809421d14abb8a",
"versionType": "git"
},
{
"lessThan": "c9060caab4135dd660c4676d1ea33a6e0d3fc09d",
"status": "affected",
"version": "81f7eb00ff5bb8326e82503a32809421d14abb8a",
"versionType": "git"
},
{
"lessThan": "89e994688e965813ec0a09fb30b87fb8cee06474",
"status": "affected",
"version": "81f7eb00ff5bb8326e82503a32809421d14abb8a",
"versionType": "git"
},
{
"lessThan": "62dd82bc7a90b5052c062a0ad5be6d8a479a3cfb",
"status": "affected",
"version": "81f7eb00ff5bb8326e82503a32809421d14abb8a",
"versionType": "git"
},
{
"lessThan": "aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6",
"status": "affected",
"version": "81f7eb00ff5bb8326e82503a32809421d14abb8a",
"versionType": "git"
},
{
"status": "affected",
"version": "4e2e49d4211db43e0ec932579dab6a969e7e8df1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/qgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.4.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix warning when putting transaction with qgroups enabled after abort\n\nIf we have a transaction abort with qgroups enabled we get a warning\ntriggered when doing the final put on the transaction, like this:\n\n [552.6789] ------------[ cut here ]------------\n [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs]\n [552.6817] Modules linked in: btrfs blake2b_generic xor (...)\n [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1\n [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs]\n [552.6821] Code: bd a0 01 00 (...)\n [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286\n [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000\n [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010\n [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20\n [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70\n [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028\n [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000\n [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0\n [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [552.6822] Call Trace:\n [552.6822] \u003cTASK\u003e\n [552.6822] ? __warn+0x80/0x130\n [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs]\n [552.6824] ? report_bug+0x1f4/0x200\n [552.6824] ? handle_bug+0x42/0x70\n [552.6824] ? exc_invalid_op+0x14/0x70\n [552.6824] ? asm_exc_invalid_op+0x16/0x20\n [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs]\n [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs]\n [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40\n [552.6828] ? try_to_wake_up+0x94/0x5e0\n [552.6828] ? __pfx_process_timeout+0x10/0x10\n [552.6828] transaction_kthread+0x103/0x1d0 [btrfs]\n [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs]\n [552.6832] kthread+0xee/0x120\n [552.6832] ? __pfx_kthread+0x10/0x10\n [552.6832] ret_from_fork+0x29/0x50\n [552.6832] \u003c/TASK\u003e\n [552.6832] ---[ end trace 0000000000000000 ]---\n\nThis corresponds to this line of code:\n\n void btrfs_put_transaction(struct btrfs_transaction *transaction)\n {\n (...)\n WARN_ON(!RB_EMPTY_ROOT(\n \u0026transaction-\u003edelayed_refs.dirty_extent_root));\n (...)\n }\n\nThe warning happens because btrfs_qgroup_destroy_extent_records(), called\nin the transaction abort path, we free all entries from the rbtree\n\"dirty_extent_root\" with rbtree_postorder_for_each_entry_safe(), but we\ndon\u0027t actually empty the rbtree - it\u0027s still pointing to nodes that were\nfreed.\n\nSo set the rbtree\u0027s root node to NULL to avoid this warning (assign\nRB_ROOT)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:34.588Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae91ab710d8e309f6c9eba07ce0d9d0b5d9040f0"
},
{
"url": "https://git.kernel.org/stable/c/d2c667cc18314c9bad3ec86ae071c0342132aa09"
},
{
"url": "https://git.kernel.org/stable/c/c9060caab4135dd660c4676d1ea33a6e0d3fc09d"
},
{
"url": "https://git.kernel.org/stable/c/89e994688e965813ec0a09fb30b87fb8cee06474"
},
{
"url": "https://git.kernel.org/stable/c/62dd82bc7a90b5052c062a0ad5be6d8a479a3cfb"
},
{
"url": "https://git.kernel.org/stable/c/aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6"
}
],
"title": "btrfs: fix warning when putting transaction with qgroups enabled after abort",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53865",
"datePublished": "2025-12-09T01:30:34.588Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2025-12-09T01:30:34.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53864 (GCVE-0-2023-53864)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()
When disabling overlay plane in mxsfb_plane_overlay_atomic_update(),
overlay plane's framebuffer pointer is NULL. So, dereferencing it would
cause a kernel Oops(NULL pointer dereferencing). Fix the issue by
disabling overlay plane in mxsfb_plane_overlay_atomic_disable() instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33 , < 8bf2d4ca521d3acb57fc1607386e749b3cc92aaf
(git)
Affected: cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33 , < 0f98de0a11d29821d9448114178ddc1b1fe32a18 (git) Affected: cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33 , < aa656d48e871a1b062e1bbf9474d8b831c35074c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mxsfb/mxsfb_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8bf2d4ca521d3acb57fc1607386e749b3cc92aaf",
"status": "affected",
"version": "cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33",
"versionType": "git"
},
{
"lessThan": "0f98de0a11d29821d9448114178ddc1b1fe32a18",
"status": "affected",
"version": "cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33",
"versionType": "git"
},
{
"lessThan": "aa656d48e871a1b062e1bbf9474d8b831c35074c",
"status": "affected",
"version": "cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mxsfb/mxsfb_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()\n\nWhen disabling overlay plane in mxsfb_plane_overlay_atomic_update(),\noverlay plane\u0027s framebuffer pointer is NULL. So, dereferencing it would\ncause a kernel Oops(NULL pointer dereferencing). Fix the issue by\ndisabling overlay plane in mxsfb_plane_overlay_atomic_disable() instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:33.263Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8bf2d4ca521d3acb57fc1607386e749b3cc92aaf"
},
{
"url": "https://git.kernel.org/stable/c/0f98de0a11d29821d9448114178ddc1b1fe32a18"
},
{
"url": "https://git.kernel.org/stable/c/aa656d48e871a1b062e1bbf9474d8b831c35074c"
}
],
"title": "drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53864",
"datePublished": "2025-12-09T01:30:33.263Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2025-12-09T01:30:33.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53863 (GCVE-0-2023-53863)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlink: do not hard code device address lenth in fdb dumps
syzbot reports that some netdev devices do not have a six bytes
address [1]
Replace ETH_ALEN by dev->addr_len.
[1] (Case of a device where dev->addr_len = 4)
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copyout+0xb8/0x100 lib/iov_iter.c:169
_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536
copy_to_iter include/linux/uio.h:206 [inline]
simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513
__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527
skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970
sock_recvmsg_nosec net/socket.c:1019 [inline]
sock_recvmsg net/socket.c:1040 [inline]
____sys_recvmsg+0x283/0x7f0 net/socket.c:2722
___sys_recvmsg+0x223/0x840 net/socket.c:2764
do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
__sys_recvmmsg net/socket.c:2937 [inline]
__do_sys_recvmmsg net/socket.c:2960 [inline]
__se_sys_recvmmsg net/socket.c:2953 [inline]
__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was stored to memory at:
__nla_put lib/nlattr.c:1009 [inline]
nla_put+0x1c6/0x230 lib/nlattr.c:1067
nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071
nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline]
ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456
rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629
netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268
netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995
sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019
____sys_recvmsg+0x664/0x7f0 net/socket.c:2720
___sys_recvmsg+0x223/0x840 net/socket.c:2764
do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
__sys_recvmmsg net/socket.c:2937 [inline]
__do_sys_recvmmsg net/socket.c:2960 [inline]
__se_sys_recvmmsg net/socket.c:2953 [inline]
__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was created at:
slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716
slab_alloc_node mm/slub.c:3451 [inline]
__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490
kmalloc_trace+0x51/0x200 mm/slab_common.c:1057
kmalloc include/linux/slab.h:559 [inline]
__hw_addr_create net/core/dev_addr_lists.c:60 [inline]
__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118
__dev_mc_add net/core/dev_addr_lists.c:867 [inline]
dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885
igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680
ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754
ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708
addrconf_type_change net/ipv6/addrconf.c:3731 [inline]
addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699
notifier_call_chain kernel/notifier.c:93 [inline]
raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461
call_netdevice_notifiers_info net/core/dev.c:1935 [inline]
call_netdevice_notifiers_extack net/core/dev.c:1973 [inline]
call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987
bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906
do_set_master net/core/rtnetlink.c:2626 [inline]
rtnl_newlink_create net/core/rtnetlink.c:3460 [inline]
__rtnl_newlink net/core/rtnetlink.c:3660 [inline]
rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673
rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395
netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546
rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0xf28/0x1230 net/netlink/af_
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d83b060360485454fcd6870340ec01d6f96f2295 , < 61d1bf3c34bf5fe936c50d1a4bc460babcc85e88
(git)
Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < c3ad49ff5c030cbe719fc4cb0ae081b8255ef4b3 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < bd1de6107f10e7d4c2aabe3397b58d63672fc511 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < 44db85c6e1a184b99a2cdf56b525ac63c4962c22 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < 619384319b137908d1008c92426c9daa95c06b90 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < e9331c8fa4c69f09d2c71682af75586f77266e81 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < b6f2d4618fc697886ad41e215ae20638153e42d0 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < 73862118bd9dec850aa8e775145647ddd23aedf8 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < aa5406950726e336c5c9585b09799a734b6e77bf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/rtnetlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61d1bf3c34bf5fe936c50d1a4bc460babcc85e88",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "c3ad49ff5c030cbe719fc4cb0ae081b8255ef4b3",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "bd1de6107f10e7d4c2aabe3397b58d63672fc511",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "44db85c6e1a184b99a2cdf56b525ac63c4962c22",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "619384319b137908d1008c92426c9daa95c06b90",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "e9331c8fa4c69f09d2c71682af75586f77266e81",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "b6f2d4618fc697886ad41e215ae20638153e42d0",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "73862118bd9dec850aa8e775145647ddd23aedf8",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "aa5406950726e336c5c9585b09799a734b6e77bf",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/rtnetlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: do not hard code device address lenth in fdb dumps\n\nsyzbot reports that some netdev devices do not have a six bytes\naddress [1]\n\nReplace ETH_ALEN by dev-\u003eaddr_len.\n\n[1] (Case of a device where dev-\u003eaddr_len = 4)\n\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169\ninstrument_copy_to_user include/linux/instrumented.h:114 [inline]\ncopyout+0xb8/0x100 lib/iov_iter.c:169\n_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536\ncopy_to_iter include/linux/uio.h:206 [inline]\nsimple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513\n__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419\nskb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527\nskb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\nnetlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970\nsock_recvmsg_nosec net/socket.c:1019 [inline]\nsock_recvmsg net/socket.c:1040 [inline]\n____sys_recvmsg+0x283/0x7f0 net/socket.c:2722\n___sys_recvmsg+0x223/0x840 net/socket.c:2764\ndo_recvmmsg+0x4f9/0xfd0 net/socket.c:2858\n__sys_recvmmsg net/socket.c:2937 [inline]\n__do_sys_recvmmsg net/socket.c:2960 [inline]\n__se_sys_recvmmsg net/socket.c:2953 [inline]\n__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was stored to memory at:\n__nla_put lib/nlattr.c:1009 [inline]\nnla_put+0x1c6/0x230 lib/nlattr.c:1067\nnlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071\nnlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline]\nndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456\nrtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629\nnetlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268\nnetlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995\nsock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019\n____sys_recvmsg+0x664/0x7f0 net/socket.c:2720\n___sys_recvmsg+0x223/0x840 net/socket.c:2764\ndo_recvmmsg+0x4f9/0xfd0 net/socket.c:2858\n__sys_recvmmsg net/socket.c:2937 [inline]\n__do_sys_recvmmsg net/socket.c:2960 [inline]\n__se_sys_recvmmsg net/socket.c:2953 [inline]\n__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\nslab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716\nslab_alloc_node mm/slub.c:3451 [inline]\n__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490\nkmalloc_trace+0x51/0x200 mm/slab_common.c:1057\nkmalloc include/linux/slab.h:559 [inline]\n__hw_addr_create net/core/dev_addr_lists.c:60 [inline]\n__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118\n__dev_mc_add net/core/dev_addr_lists.c:867 [inline]\ndev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885\nigmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680\nipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754\nipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708\naddrconf_type_change net/ipv6/addrconf.c:3731 [inline]\naddrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699\nnotifier_call_chain kernel/notifier.c:93 [inline]\nraw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461\ncall_netdevice_notifiers_info net/core/dev.c:1935 [inline]\ncall_netdevice_notifiers_extack net/core/dev.c:1973 [inline]\ncall_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987\nbond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906\ndo_set_master net/core/rtnetlink.c:2626 [inline]\nrtnl_newlink_create net/core/rtnetlink.c:3460 [inline]\n__rtnl_newlink net/core/rtnetlink.c:3660 [inline]\nrtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673\nrtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395\nnetlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546\nrtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413\nnetlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\nnetlink_unicast+0xf28/0x1230 net/netlink/af_\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:32.109Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61d1bf3c34bf5fe936c50d1a4bc460babcc85e88"
},
{
"url": "https://git.kernel.org/stable/c/c3ad49ff5c030cbe719fc4cb0ae081b8255ef4b3"
},
{
"url": "https://git.kernel.org/stable/c/bd1de6107f10e7d4c2aabe3397b58d63672fc511"
},
{
"url": "https://git.kernel.org/stable/c/44db85c6e1a184b99a2cdf56b525ac63c4962c22"
},
{
"url": "https://git.kernel.org/stable/c/619384319b137908d1008c92426c9daa95c06b90"
},
{
"url": "https://git.kernel.org/stable/c/e9331c8fa4c69f09d2c71682af75586f77266e81"
},
{
"url": "https://git.kernel.org/stable/c/b6f2d4618fc697886ad41e215ae20638153e42d0"
},
{
"url": "https://git.kernel.org/stable/c/73862118bd9dec850aa8e775145647ddd23aedf8"
},
{
"url": "https://git.kernel.org/stable/c/aa5406950726e336c5c9585b09799a734b6e77bf"
}
],
"title": "netlink: do not hard code device address lenth in fdb dumps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53863",
"datePublished": "2025-12-09T01:30:32.109Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2025-12-09T01:30:32.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53862 (GCVE-0-2023-53862)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfs: fix missing hfs_bnode_get() in __hfs_bnode_create
Syzbot found a kernel BUG in hfs_bnode_put():
kernel BUG at fs/hfs/bnode.c:466!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 3634 Comm: kworker/u4:5 Not tainted 6.1.0-rc7-syzkaller-00190-g97ee9d1c1696 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: writeback wb_workfn (flush-7:0)
RIP: 0010:hfs_bnode_put+0x46f/0x480 fs/hfs/bnode.c:466
Code: 8a 80 ff e9 73 fe ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a0 fe ff ff 48 89 df e8 db 8a 80 ff e9 93 fe ff ff e8 a1 68 2c ff <0f> 0b e8 9a 68 2c ff 0f 0b 0f 1f 84 00 00 00 00 00 55 41 57 41 56
RSP: 0018:ffffc90003b4f258 EFLAGS: 00010293
RAX: ffffffff825e318f RBX: 0000000000000000 RCX: ffff8880739dd7c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003b4f430 R08: ffffffff825e2d9b R09: ffffed10045157d1
R10: ffffed10045157d1 R11: 1ffff110045157d0 R12: ffff8880228abe80
R13: ffff88807016c000 R14: dffffc0000000000 R15: ffff8880228abe00
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa6ebe88718 CR3: 000000001e93d000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
hfs_write_inode+0x1bc/0xb40
write_inode fs/fs-writeback.c:1440 [inline]
__writeback_single_inode+0x4d6/0x670 fs/fs-writeback.c:1652
writeback_sb_inodes+0xb3b/0x18f0 fs/fs-writeback.c:1878
__writeback_inodes_wb+0x125/0x420 fs/fs-writeback.c:1949
wb_writeback+0x440/0x7b0 fs/fs-writeback.c:2054
wb_check_start_all fs/fs-writeback.c:2176 [inline]
wb_do_writeback fs/fs-writeback.c:2202 [inline]
wb_workfn+0x827/0xef0 fs/fs-writeback.c:2235
process_one_work+0x877/0xdb0 kernel/workqueue.c:2289
worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
kthread+0x266/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
The BUG_ON() is triggered at here:
/* Dispose of resources used by a node */
void hfs_bnode_put(struct hfs_bnode *node)
{
if (node) {
<skipped>
BUG_ON(!atomic_read(&node->refcnt)); <- we have issue here!!!!
<skipped>
}
}
By tracing the refcnt, I found the node is created by hfs_bmap_alloc()
with refcnt 1. Then the node is used by hfs_btree_write(). There is a
missing of hfs_bnode_get() after find the node. The issue happened in
following path:
<alloc>
hfs_bmap_alloc
hfs_bnode_find
__hfs_bnode_create <- allocate a new node with refcnt 1.
hfs_bnode_put <- decrease the refcnt
<write>
hfs_btree_write
hfs_bnode_find
__hfs_bnode_create
hfs_bnode_findhash <- find the node without refcnt increased.
hfs_bnode_put <- trigger the BUG_ON() since refcnt is 0.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 062af3e9930762d1fd22946748d34e0d859e4a8e
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3a9065a33988c02789722be612f7c42fb8ebbb22 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < eda6879272e4df5456afc36642052ea066f58410 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dc9f78b6d254427a06e568f2887b1011ef3143ef (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2cab8db14566cf6a516c1f103a60cf6b7f54b1e5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8140cdc57bc5844cd5e1392673ec2dbf8fdc6940 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 38d72e6604b9f96dffcc0565090cc01622a37b2a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a9dc087fd3c484fd1ed18c5efb290efaaf44ce03 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfs/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "062af3e9930762d1fd22946748d34e0d859e4a8e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3a9065a33988c02789722be612f7c42fb8ebbb22",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eda6879272e4df5456afc36642052ea066f58410",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dc9f78b6d254427a06e568f2887b1011ef3143ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2cab8db14566cf6a516c1f103a60cf6b7f54b1e5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8140cdc57bc5844cd5e1392673ec2dbf8fdc6940",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "38d72e6604b9f96dffcc0565090cc01622a37b2a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a9dc087fd3c484fd1ed18c5efb290efaaf44ce03",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfs/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix missing hfs_bnode_get() in __hfs_bnode_create\n\nSyzbot found a kernel BUG in hfs_bnode_put():\n\n kernel BUG at fs/hfs/bnode.c:466!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n CPU: 0 PID: 3634 Comm: kworker/u4:5 Not tainted 6.1.0-rc7-syzkaller-00190-g97ee9d1c1696 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n Workqueue: writeback wb_workfn (flush-7:0)\n RIP: 0010:hfs_bnode_put+0x46f/0x480 fs/hfs/bnode.c:466\n Code: 8a 80 ff e9 73 fe ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a0 fe ff ff 48 89 df e8 db 8a 80 ff e9 93 fe ff ff e8 a1 68 2c ff \u003c0f\u003e 0b e8 9a 68 2c ff 0f 0b 0f 1f 84 00 00 00 00 00 55 41 57 41 56\n RSP: 0018:ffffc90003b4f258 EFLAGS: 00010293\n RAX: ffffffff825e318f RBX: 0000000000000000 RCX: ffff8880739dd7c0\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffc90003b4f430 R08: ffffffff825e2d9b R09: ffffed10045157d1\n R10: ffffed10045157d1 R11: 1ffff110045157d0 R12: ffff8880228abe80\n R13: ffff88807016c000 R14: dffffc0000000000 R15: ffff8880228abe00\n FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fa6ebe88718 CR3: 000000001e93d000 CR4: 00000000003506f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n hfs_write_inode+0x1bc/0xb40\n write_inode fs/fs-writeback.c:1440 [inline]\n __writeback_single_inode+0x4d6/0x670 fs/fs-writeback.c:1652\n writeback_sb_inodes+0xb3b/0x18f0 fs/fs-writeback.c:1878\n __writeback_inodes_wb+0x125/0x420 fs/fs-writeback.c:1949\n wb_writeback+0x440/0x7b0 fs/fs-writeback.c:2054\n wb_check_start_all fs/fs-writeback.c:2176 [inline]\n wb_do_writeback fs/fs-writeback.c:2202 [inline]\n wb_workfn+0x827/0xef0 fs/fs-writeback.c:2235\n process_one_work+0x877/0xdb0 kernel/workqueue.c:2289\n worker_thread+0xb14/0x1330 kernel/workqueue.c:2436\n kthread+0x266/0x300 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n \u003c/TASK\u003e\n\nThe BUG_ON() is triggered at here:\n\n/* Dispose of resources used by a node */\nvoid hfs_bnode_put(struct hfs_bnode *node)\n{\n\tif (node) {\n \t\t\u003cskipped\u003e\n \t\tBUG_ON(!atomic_read(\u0026node-\u003erefcnt)); \u003c- we have issue here!!!!\n \t\t\u003cskipped\u003e\n \t}\n}\n\nBy tracing the refcnt, I found the node is created by hfs_bmap_alloc()\nwith refcnt 1. Then the node is used by hfs_btree_write(). There is a\nmissing of hfs_bnode_get() after find the node. The issue happened in\nfollowing path:\n\n\u003calloc\u003e\n hfs_bmap_alloc\n hfs_bnode_find\n __hfs_bnode_create \u003c- allocate a new node with refcnt 1.\n hfs_bnode_put \u003c- decrease the refcnt\n\n\u003cwrite\u003e\n hfs_btree_write\n hfs_bnode_find\n __hfs_bnode_create\n hfs_bnode_findhash \u003c- find the node without refcnt increased.\n hfs_bnode_put\t \u003c- trigger the BUG_ON() since refcnt is 0."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:30.902Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/062af3e9930762d1fd22946748d34e0d859e4a8e"
},
{
"url": "https://git.kernel.org/stable/c/3a9065a33988c02789722be612f7c42fb8ebbb22"
},
{
"url": "https://git.kernel.org/stable/c/eda6879272e4df5456afc36642052ea066f58410"
},
{
"url": "https://git.kernel.org/stable/c/dc9f78b6d254427a06e568f2887b1011ef3143ef"
},
{
"url": "https://git.kernel.org/stable/c/2cab8db14566cf6a516c1f103a60cf6b7f54b1e5"
},
{
"url": "https://git.kernel.org/stable/c/8140cdc57bc5844cd5e1392673ec2dbf8fdc6940"
},
{
"url": "https://git.kernel.org/stable/c/38d72e6604b9f96dffcc0565090cc01622a37b2a"
},
{
"url": "https://git.kernel.org/stable/c/a9dc087fd3c484fd1ed18c5efb290efaaf44ce03"
}
],
"title": "hfs: fix missing hfs_bnode_get() in __hfs_bnode_create",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53862",
"datePublished": "2025-12-09T01:30:30.902Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2025-12-09T01:30:30.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53861 (GCVE-0-2023-53861)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: correct grp validation in ext4_mb_good_group
Group corruption check will access memory of grp and will trigger kernel
crash if grp is NULL. So do NULL check before corruption check.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
100c0ad6c04597fefeaaba2bb1827cc015d95067 , < 245759d987b617d183061db6ab8886ebb5cc78e9
(git)
Affected: 620a3c28221bb219b81bc0bffd065cc187494302 , < 3e24082f16825279054a2b8a5e668d65070bbf07 (git) Affected: b4319e457d6e3fb33e443efeaf4634fc36e8a9ed , < 772ca4bc1d0d21320ef2ecc0f9e4f90ea85a035d (git) Affected: 5354b2af34064a4579be8bc0e2f15a7b70f14b5f , < 83a9d5f5ec7e75640b1ba0bbd77a4888df798bb4 (git) Affected: 5354b2af34064a4579be8bc0e2f15a7b70f14b5f , < e69d665987db0e37896adf78a7e718f9a0a75d3f (git) Affected: 5354b2af34064a4579be8bc0e2f15a7b70f14b5f , < a9ce5993a0f5c0887c8a1b4ffa3b8046fbcfdc93 (git) Affected: 31668cebf45adfb6283e465e641c4f5a21b07afa (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "245759d987b617d183061db6ab8886ebb5cc78e9",
"status": "affected",
"version": "100c0ad6c04597fefeaaba2bb1827cc015d95067",
"versionType": "git"
},
{
"lessThan": "3e24082f16825279054a2b8a5e668d65070bbf07",
"status": "affected",
"version": "620a3c28221bb219b81bc0bffd065cc187494302",
"versionType": "git"
},
{
"lessThan": "772ca4bc1d0d21320ef2ecc0f9e4f90ea85a035d",
"status": "affected",
"version": "b4319e457d6e3fb33e443efeaf4634fc36e8a9ed",
"versionType": "git"
},
{
"lessThan": "83a9d5f5ec7e75640b1ba0bbd77a4888df798bb4",
"status": "affected",
"version": "5354b2af34064a4579be8bc0e2f15a7b70f14b5f",
"versionType": "git"
},
{
"lessThan": "e69d665987db0e37896adf78a7e718f9a0a75d3f",
"status": "affected",
"version": "5354b2af34064a4579be8bc0e2f15a7b70f14b5f",
"versionType": "git"
},
{
"lessThan": "a9ce5993a0f5c0887c8a1b4ffa3b8046fbcfdc93",
"status": "affected",
"version": "5354b2af34064a4579be8bc0e2f15a7b70f14b5f",
"versionType": "git"
},
{
"status": "affected",
"version": "31668cebf45adfb6283e465e641c4f5a21b07afa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.15.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: correct grp validation in ext4_mb_good_group\n\nGroup corruption check will access memory of grp and will trigger kernel\ncrash if grp is NULL. So do NULL check before corruption check."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:29.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/245759d987b617d183061db6ab8886ebb5cc78e9"
},
{
"url": "https://git.kernel.org/stable/c/3e24082f16825279054a2b8a5e668d65070bbf07"
},
{
"url": "https://git.kernel.org/stable/c/772ca4bc1d0d21320ef2ecc0f9e4f90ea85a035d"
},
{
"url": "https://git.kernel.org/stable/c/83a9d5f5ec7e75640b1ba0bbd77a4888df798bb4"
},
{
"url": "https://git.kernel.org/stable/c/e69d665987db0e37896adf78a7e718f9a0a75d3f"
},
{
"url": "https://git.kernel.org/stable/c/a9ce5993a0f5c0887c8a1b4ffa3b8046fbcfdc93"
}
],
"title": "ext4: correct grp validation in ext4_mb_good_group",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53861",
"datePublished": "2025-12-09T01:30:29.423Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2025-12-09T01:30:29.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53860 (GCVE-0-2023-53860)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: don't attempt to queue IO under RCU protection
dm looks up the table for IO based on the request type, with an
assumption that if the request is marked REQ_NOWAIT, it's fine to
attempt to submit that IO while under RCU read lock protection. This
is not OK, as REQ_NOWAIT just means that we should not be sleeping
waiting on other IO, it does not mean that we can't potentially
schedule.
A simple test case demonstrates this quite nicely:
int main(int argc, char *argv[])
{
struct iovec iov;
int fd;
fd = open("/dev/dm-0", O_RDONLY | O_DIRECT);
posix_memalign(&iov.iov_base, 4096, 4096);
iov.iov_len = 4096;
preadv2(fd, &iov, 1, 0, RWF_NOWAIT);
return 0;
}
which will instantly spew:
BUG: sleeping function called from invalid context at include/linux/sched/mm.h:306
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5580, name: dm-nowait
preempt_count: 0, expected: 0
RCU nest depth: 1, expected: 0
INFO: lockdep is turned off.
CPU: 7 PID: 5580 Comm: dm-nowait Not tainted 6.6.0-rc1-g39956d2dcd81 #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x11d/0x1b0
__might_resched+0x3c3/0x5e0
? preempt_count_sub+0x150/0x150
mempool_alloc+0x1e2/0x390
? mempool_resize+0x7d0/0x7d0
? lock_sync+0x190/0x190
? lock_release+0x4b7/0x670
? internal_get_user_pages_fast+0x868/0x2d40
bio_alloc_bioset+0x417/0x8c0
? bvec_alloc+0x200/0x200
? internal_get_user_pages_fast+0xb8c/0x2d40
bio_alloc_clone+0x53/0x100
dm_submit_bio+0x27f/0x1a20
? lock_release+0x4b7/0x670
? blk_try_enter_queue+0x1a0/0x4d0
? dm_dax_direct_access+0x260/0x260
? rcu_is_watching+0x12/0xb0
? blk_try_enter_queue+0x1cc/0x4d0
__submit_bio+0x239/0x310
? __bio_queue_enter+0x700/0x700
? kvm_clock_get_cycles+0x40/0x60
? ktime_get+0x285/0x470
submit_bio_noacct_nocheck+0x4d9/0xb80
? should_fail_request+0x80/0x80
? preempt_count_sub+0x150/0x150
? lock_release+0x4b7/0x670
? __bio_add_page+0x143/0x2d0
? iov_iter_revert+0x27/0x360
submit_bio_noacct+0x53e/0x1b30
submit_bio_wait+0x10a/0x230
? submit_bio_wait_endio+0x40/0x40
__blkdev_direct_IO_simple+0x4f8/0x780
? blkdev_bio_end_io+0x4c0/0x4c0
? stack_trace_save+0x90/0xc0
? __bio_clone+0x3c0/0x3c0
? lock_release+0x4b7/0x670
? lock_sync+0x190/0x190
? atime_needs_update+0x3bf/0x7e0
? timestamp_truncate+0x21b/0x2d0
? inode_owner_or_capable+0x240/0x240
blkdev_direct_IO.part.0+0x84a/0x1810
? rcu_is_watching+0x12/0xb0
? lock_release+0x4b7/0x670
? blkdev_read_iter+0x40d/0x530
? reacquire_held_locks+0x4e0/0x4e0
? __blkdev_direct_IO_simple+0x780/0x780
? rcu_is_watching+0x12/0xb0
? __mark_inode_dirty+0x297/0xd50
? preempt_count_add+0x72/0x140
blkdev_read_iter+0x2a4/0x530
do_iter_readv_writev+0x2f2/0x3c0
? generic_copy_file_range+0x1d0/0x1d0
? fsnotify_perm.part.0+0x25d/0x630
? security_file_permission+0xd8/0x100
do_iter_read+0x31b/0x880
? import_iovec+0x10b/0x140
vfs_readv+0x12d/0x1a0
? vfs_iter_read+0xb0/0xb0
? rcu_is_watching+0x12/0xb0
? rcu_is_watching+0x12/0xb0
? lock_release+0x4b7/0x670
do_preadv+0x1b3/0x260
? do_readv+0x370/0x370
__x64_sys_preadv2+0xef/0x150
do_syscall_64+0x39/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f5af41ad806
Code: 41 54 41 89 fc 55 44 89 c5 53 48 89 cb 48 83 ec 18 80 3d e4 dd 0d 00 00 74 7a 45 89 c1 49 89 ca 45 31 c0 b8 47 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 be 00 00 00 48 85 c0 79 4a 48 8b 0d da 55
RSP: 002b:00007ffd3145c7f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000147
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5af41ad806
RDX: 0000000000000001 RSI: 00007ffd3145c850 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000008
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 00007ffd3145c850 R14: 000055f5f0431dd8 R15: 0000000000000001
</TASK>
where in fact it is
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
563a225c9fd207326c2a2af9d59b4097cb31ce70 , < d7b2abd87d1fcdb47811f90090a363e7ca15cb14
(git)
Affected: 563a225c9fd207326c2a2af9d59b4097cb31ce70 , < 699775e9338adcd4eaedea000d32c60250c3114d (git) Affected: 563a225c9fd207326c2a2af9d59b4097cb31ce70 , < a9ce385344f916cd1c36a33905e564f5581beae9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d7b2abd87d1fcdb47811f90090a363e7ca15cb14",
"status": "affected",
"version": "563a225c9fd207326c2a2af9d59b4097cb31ce70",
"versionType": "git"
},
{
"lessThan": "699775e9338adcd4eaedea000d32c60250c3114d",
"status": "affected",
"version": "563a225c9fd207326c2a2af9d59b4097cb31ce70",
"versionType": "git"
},
{
"lessThan": "a9ce385344f916cd1c36a33905e564f5581beae9",
"status": "affected",
"version": "563a225c9fd207326c2a2af9d59b4097cb31ce70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: don\u0027t attempt to queue IO under RCU protection\n\ndm looks up the table for IO based on the request type, with an\nassumption that if the request is marked REQ_NOWAIT, it\u0027s fine to\nattempt to submit that IO while under RCU read lock protection. This\nis not OK, as REQ_NOWAIT just means that we should not be sleeping\nwaiting on other IO, it does not mean that we can\u0027t potentially\nschedule.\n\nA simple test case demonstrates this quite nicely:\n\nint main(int argc, char *argv[])\n{\n struct iovec iov;\n int fd;\n\n fd = open(\"/dev/dm-0\", O_RDONLY | O_DIRECT);\n posix_memalign(\u0026iov.iov_base, 4096, 4096);\n iov.iov_len = 4096;\n preadv2(fd, \u0026iov, 1, 0, RWF_NOWAIT);\n return 0;\n}\n\nwhich will instantly spew:\n\nBUG: sleeping function called from invalid context at include/linux/sched/mm.h:306\nin_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5580, name: dm-nowait\npreempt_count: 0, expected: 0\nRCU nest depth: 1, expected: 0\nINFO: lockdep is turned off.\nCPU: 7 PID: 5580 Comm: dm-nowait Not tainted 6.6.0-rc1-g39956d2dcd81 #132\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x11d/0x1b0\n __might_resched+0x3c3/0x5e0\n ? preempt_count_sub+0x150/0x150\n mempool_alloc+0x1e2/0x390\n ? mempool_resize+0x7d0/0x7d0\n ? lock_sync+0x190/0x190\n ? lock_release+0x4b7/0x670\n ? internal_get_user_pages_fast+0x868/0x2d40\n bio_alloc_bioset+0x417/0x8c0\n ? bvec_alloc+0x200/0x200\n ? internal_get_user_pages_fast+0xb8c/0x2d40\n bio_alloc_clone+0x53/0x100\n dm_submit_bio+0x27f/0x1a20\n ? lock_release+0x4b7/0x670\n ? blk_try_enter_queue+0x1a0/0x4d0\n ? dm_dax_direct_access+0x260/0x260\n ? rcu_is_watching+0x12/0xb0\n ? blk_try_enter_queue+0x1cc/0x4d0\n __submit_bio+0x239/0x310\n ? __bio_queue_enter+0x700/0x700\n ? kvm_clock_get_cycles+0x40/0x60\n ? ktime_get+0x285/0x470\n submit_bio_noacct_nocheck+0x4d9/0xb80\n ? should_fail_request+0x80/0x80\n ? preempt_count_sub+0x150/0x150\n ? lock_release+0x4b7/0x670\n ? __bio_add_page+0x143/0x2d0\n ? iov_iter_revert+0x27/0x360\n submit_bio_noacct+0x53e/0x1b30\n submit_bio_wait+0x10a/0x230\n ? submit_bio_wait_endio+0x40/0x40\n __blkdev_direct_IO_simple+0x4f8/0x780\n ? blkdev_bio_end_io+0x4c0/0x4c0\n ? stack_trace_save+0x90/0xc0\n ? __bio_clone+0x3c0/0x3c0\n ? lock_release+0x4b7/0x670\n ? lock_sync+0x190/0x190\n ? atime_needs_update+0x3bf/0x7e0\n ? timestamp_truncate+0x21b/0x2d0\n ? inode_owner_or_capable+0x240/0x240\n blkdev_direct_IO.part.0+0x84a/0x1810\n ? rcu_is_watching+0x12/0xb0\n ? lock_release+0x4b7/0x670\n ? blkdev_read_iter+0x40d/0x530\n ? reacquire_held_locks+0x4e0/0x4e0\n ? __blkdev_direct_IO_simple+0x780/0x780\n ? rcu_is_watching+0x12/0xb0\n ? __mark_inode_dirty+0x297/0xd50\n ? preempt_count_add+0x72/0x140\n blkdev_read_iter+0x2a4/0x530\n do_iter_readv_writev+0x2f2/0x3c0\n ? generic_copy_file_range+0x1d0/0x1d0\n ? fsnotify_perm.part.0+0x25d/0x630\n ? security_file_permission+0xd8/0x100\n do_iter_read+0x31b/0x880\n ? import_iovec+0x10b/0x140\n vfs_readv+0x12d/0x1a0\n ? vfs_iter_read+0xb0/0xb0\n ? rcu_is_watching+0x12/0xb0\n ? rcu_is_watching+0x12/0xb0\n ? lock_release+0x4b7/0x670\n do_preadv+0x1b3/0x260\n ? do_readv+0x370/0x370\n __x64_sys_preadv2+0xef/0x150\n do_syscall_64+0x39/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f5af41ad806\nCode: 41 54 41 89 fc 55 44 89 c5 53 48 89 cb 48 83 ec 18 80 3d e4 dd 0d 00 00 74 7a 45 89 c1 49 89 ca 45 31 c0 b8 47 01 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 0f 87 be 00 00 00 48 85 c0 79 4a 48 8b 0d da 55\nRSP: 002b:00007ffd3145c7f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000147\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5af41ad806\nRDX: 0000000000000001 RSI: 00007ffd3145c850 RDI: 0000000000000003\nRBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000008\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003\nR13: 00007ffd3145c850 R14: 000055f5f0431dd8 R15: 0000000000000001\n \u003c/TASK\u003e\n\nwhere in fact it is\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:27.903Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d7b2abd87d1fcdb47811f90090a363e7ca15cb14"
},
{
"url": "https://git.kernel.org/stable/c/699775e9338adcd4eaedea000d32c60250c3114d"
},
{
"url": "https://git.kernel.org/stable/c/a9ce385344f916cd1c36a33905e564f5581beae9"
}
],
"title": "dm: don\u0027t attempt to queue IO under RCU protection",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53860",
"datePublished": "2025-12-09T01:30:27.903Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:27.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53859 (GCVE-0-2023-53859)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/idle: mark arch_cpu_idle() noinstr
linux-next commit ("cpuidle: tracing: Warn about !rcu_is_watching()")
adds a new warning which hits on s390's arch_cpu_idle() function:
RCU not on for: arch_cpu_idle+0x0/0x28
WARNING: CPU: 2 PID: 0 at include/linux/trace_recursion.h:162 arch_ftrace_ops_list_func+0x24c/0x258
Modules linked in:
CPU: 2 PID: 0 Comm: swapper/2 Not tainted 6.2.0-rc6-next-20230202 #4
Hardware name: IBM 8561 T01 703 (z/VM 7.3.0)
Krnl PSW : 0404d00180000000 00000000002b55c0 (arch_ftrace_ops_list_func+0x250/0x258)
R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3
Krnl GPRS: c0000000ffffbfff 0000000080000002 0000000000000026 0000000000000000
0000037ffffe3a28 0000037ffffe3a20 0000000000000000 0000000000000000
0000000000000000 0000000000f4acf6 00000000001044f0 0000037ffffe3cb0
0000000000000000 0000000000000000 00000000002b55bc 0000037ffffe3bb8
Krnl Code: 00000000002b55b0: c02000840051 larl %r2,0000000001335652
00000000002b55b6: c0e5fff512d1 brasl %r14,0000000000157b58
#00000000002b55bc: af000000 mc 0,0
>00000000002b55c0: a7f4ffe7 brc 15,00000000002b558e
00000000002b55c4: 0707 bcr 0,%r7
00000000002b55c6: 0707 bcr 0,%r7
00000000002b55c8: eb6ff0480024 stmg %r6,%r15,72(%r15)
00000000002b55ce: b90400ef lgr %r14,%r15
Call Trace:
[<00000000002b55c0>] arch_ftrace_ops_list_func+0x250/0x258
([<00000000002b55bc>] arch_ftrace_ops_list_func+0x24c/0x258)
[<0000000000f5f0fc>] ftrace_common+0x1c/0x20
[<00000000001044f6>] arch_cpu_idle+0x6/0x28
[<0000000000f4acf6>] default_idle_call+0x76/0x128
[<00000000001cc374>] do_idle+0xf4/0x1b0
[<00000000001cc6ce>] cpu_startup_entry+0x36/0x40
[<0000000000119d00>] smp_start_secondary+0x140/0x150
[<0000000000f5d2ae>] restart_int_handler+0x6e/0x90
Mark arch_cpu_idle() noinstr like all other architectures with
CONFIG_ARCH_WANTS_NO_INSTR (should) have it to fix this.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 49aa49952116b8fd56bfb1e8c69bce179f49bece
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 611c390217106c46e24e1af3db83187339d447ea (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fc60c4f12d8a056f20d8f4d0086a36c68ffa9fdc (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a9cbc1b471d291c865907542394f1c483b93a811 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/s390/kernel/idle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49aa49952116b8fd56bfb1e8c69bce179f49bece",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "611c390217106c46e24e1af3db83187339d447ea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fc60c4f12d8a056f20d8f4d0086a36c68ffa9fdc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a9cbc1b471d291c865907542394f1c483b93a811",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/s390/kernel/idle.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/idle: mark arch_cpu_idle() noinstr\n\nlinux-next commit (\"cpuidle: tracing: Warn about !rcu_is_watching()\")\nadds a new warning which hits on s390\u0027s arch_cpu_idle() function:\n\nRCU not on for: arch_cpu_idle+0x0/0x28\nWARNING: CPU: 2 PID: 0 at include/linux/trace_recursion.h:162 arch_ftrace_ops_list_func+0x24c/0x258\nModules linked in:\nCPU: 2 PID: 0 Comm: swapper/2 Not tainted 6.2.0-rc6-next-20230202 #4\nHardware name: IBM 8561 T01 703 (z/VM 7.3.0)\nKrnl PSW : 0404d00180000000 00000000002b55c0 (arch_ftrace_ops_list_func+0x250/0x258)\n R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3\nKrnl GPRS: c0000000ffffbfff 0000000080000002 0000000000000026 0000000000000000\n 0000037ffffe3a28 0000037ffffe3a20 0000000000000000 0000000000000000\n 0000000000000000 0000000000f4acf6 00000000001044f0 0000037ffffe3cb0\n 0000000000000000 0000000000000000 00000000002b55bc 0000037ffffe3bb8\nKrnl Code: 00000000002b55b0: c02000840051 larl %r2,0000000001335652\n 00000000002b55b6: c0e5fff512d1 brasl %r14,0000000000157b58\n #00000000002b55bc: af000000 mc 0,0\n \u003e00000000002b55c0: a7f4ffe7 brc 15,00000000002b558e\n 00000000002b55c4: 0707 bcr 0,%r7\n 00000000002b55c6: 0707 bcr 0,%r7\n 00000000002b55c8: eb6ff0480024 stmg %r6,%r15,72(%r15)\n 00000000002b55ce: b90400ef lgr %r14,%r15\nCall Trace:\n [\u003c00000000002b55c0\u003e] arch_ftrace_ops_list_func+0x250/0x258\n([\u003c00000000002b55bc\u003e] arch_ftrace_ops_list_func+0x24c/0x258)\n [\u003c0000000000f5f0fc\u003e] ftrace_common+0x1c/0x20\n [\u003c00000000001044f6\u003e] arch_cpu_idle+0x6/0x28\n [\u003c0000000000f4acf6\u003e] default_idle_call+0x76/0x128\n [\u003c00000000001cc374\u003e] do_idle+0xf4/0x1b0\n [\u003c00000000001cc6ce\u003e] cpu_startup_entry+0x36/0x40\n [\u003c0000000000119d00\u003e] smp_start_secondary+0x140/0x150\n [\u003c0000000000f5d2ae\u003e] restart_int_handler+0x6e/0x90\n\nMark arch_cpu_idle() noinstr like all other architectures with\nCONFIG_ARCH_WANTS_NO_INSTR (should) have it to fix this."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:26.351Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49aa49952116b8fd56bfb1e8c69bce179f49bece"
},
{
"url": "https://git.kernel.org/stable/c/611c390217106c46e24e1af3db83187339d447ea"
},
{
"url": "https://git.kernel.org/stable/c/fc60c4f12d8a056f20d8f4d0086a36c68ffa9fdc"
},
{
"url": "https://git.kernel.org/stable/c/a9cbc1b471d291c865907542394f1c483b93a811"
}
],
"title": "s390/idle: mark arch_cpu_idle() noinstr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53859",
"datePublished": "2025-12-09T01:30:26.351Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:26.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53858 (GCVE-0-2023-53858)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error
If clk_get_rate() fails, the clk that has just been allocated needs to be
freed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5f5a7a5578c5885201cf9c85856f023fe8b81765 , < 755289d67eb9a74ae71bb624902e979c66859444
(git)
Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < f47e6631a8fcc6fe05b8644aa4222a60f3b0a927 (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < 30962268fa1a7466413b3d83037688129021d470 (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < a49e5a05121c8bc471a57b4916c5393749c24de5 (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < 073dbbe5743779faf24f233cc95459b47c7198dd (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < 34f5b826dd509b76644f83094b4af7e7668a6a38 (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < 1694fc8ad734e2909a9e40d2be03cc4423e0bee6 (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < a9c09546e903f1068acfa38e1ee18bded7114b37 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/samsung_tty.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "755289d67eb9a74ae71bb624902e979c66859444",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "f47e6631a8fcc6fe05b8644aa4222a60f3b0a927",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "30962268fa1a7466413b3d83037688129021d470",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "a49e5a05121c8bc471a57b4916c5393749c24de5",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "073dbbe5743779faf24f233cc95459b47c7198dd",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "34f5b826dd509b76644f83094b4af7e7668a6a38",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "1694fc8ad734e2909a9e40d2be03cc4423e0bee6",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "a9c09546e903f1068acfa38e1ee18bded7114b37",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/samsung_tty.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error\n\nIf clk_get_rate() fails, the clk that has just been allocated needs to be\nfreed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:24.886Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/755289d67eb9a74ae71bb624902e979c66859444"
},
{
"url": "https://git.kernel.org/stable/c/f47e6631a8fcc6fe05b8644aa4222a60f3b0a927"
},
{
"url": "https://git.kernel.org/stable/c/30962268fa1a7466413b3d83037688129021d470"
},
{
"url": "https://git.kernel.org/stable/c/a49e5a05121c8bc471a57b4916c5393749c24de5"
},
{
"url": "https://git.kernel.org/stable/c/073dbbe5743779faf24f233cc95459b47c7198dd"
},
{
"url": "https://git.kernel.org/stable/c/34f5b826dd509b76644f83094b4af7e7668a6a38"
},
{
"url": "https://git.kernel.org/stable/c/1694fc8ad734e2909a9e40d2be03cc4423e0bee6"
},
{
"url": "https://git.kernel.org/stable/c/a9c09546e903f1068acfa38e1ee18bded7114b37"
}
],
"title": "tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53858",
"datePublished": "2025-12-09T01:30:24.886Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:24.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53857 (GCVE-0-2023-53857)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: bpf_sk_storage: Fix invalid wait context lockdep report
'./test_progs -t test_local_storage' reported a splat:
[ 27.137569] =============================
[ 27.138122] [ BUG: Invalid wait context ]
[ 27.138650] 6.5.0-03980-gd11ae1b16b0a #247 Tainted: G O
[ 27.139542] -----------------------------
[ 27.140106] test_progs/1729 is trying to lock:
[ 27.140713] ffff8883ef047b88 (stock_lock){-.-.}-{3:3}, at: local_lock_acquire+0x9/0x130
[ 27.141834] other info that might help us debug this:
[ 27.142437] context-{5:5}
[ 27.142856] 2 locks held by test_progs/1729:
[ 27.143352] #0: ffffffff84bcd9c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x4/0x40
[ 27.144492] #1: ffff888107deb2c0 (&storage->lock){..-.}-{2:2}, at: bpf_local_storage_update+0x39e/0x8e0
[ 27.145855] stack backtrace:
[ 27.146274] CPU: 0 PID: 1729 Comm: test_progs Tainted: G O 6.5.0-03980-gd11ae1b16b0a #247
[ 27.147550] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 27.149127] Call Trace:
[ 27.149490] <TASK>
[ 27.149867] dump_stack_lvl+0x130/0x1d0
[ 27.152609] dump_stack+0x14/0x20
[ 27.153131] __lock_acquire+0x1657/0x2220
[ 27.153677] lock_acquire+0x1b8/0x510
[ 27.157908] local_lock_acquire+0x29/0x130
[ 27.159048] obj_cgroup_charge+0xf4/0x3c0
[ 27.160794] slab_pre_alloc_hook+0x28e/0x2b0
[ 27.161931] __kmem_cache_alloc_node+0x51/0x210
[ 27.163557] __kmalloc+0xaa/0x210
[ 27.164593] bpf_map_kzalloc+0xbc/0x170
[ 27.165147] bpf_selem_alloc+0x130/0x510
[ 27.166295] bpf_local_storage_update+0x5aa/0x8e0
[ 27.167042] bpf_fd_sk_storage_update_elem+0xdb/0x1a0
[ 27.169199] bpf_map_update_value+0x415/0x4f0
[ 27.169871] map_update_elem+0x413/0x550
[ 27.170330] __sys_bpf+0x5e9/0x640
[ 27.174065] __x64_sys_bpf+0x80/0x90
[ 27.174568] do_syscall_64+0x48/0xa0
[ 27.175201] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 27.175932] RIP: 0033:0x7effb40e41ad
[ 27.176357] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d8
[ 27.179028] RSP: 002b:00007ffe64c21fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000141
[ 27.180088] RAX: ffffffffffffffda RBX: 00007ffe64c22768 RCX: 00007effb40e41ad
[ 27.181082] RDX: 0000000000000020 RSI: 00007ffe64c22008 RDI: 0000000000000002
[ 27.182030] RBP: 00007ffe64c21ff0 R08: 0000000000000000 R09: 00007ffe64c22788
[ 27.183038] R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000000
[ 27.184006] R13: 00007ffe64c22788 R14: 00007effb42a1000 R15: 0000000000000000
[ 27.184958] </TASK>
It complains about acquiring a local_lock while holding a raw_spin_lock.
It means it should not allocate memory while holding a raw_spin_lock
since it is not safe for RT.
raw_spin_lock is needed because bpf_local_storage supports tracing
context. In particular for task local storage, it is easy to
get a "current" task PTR_TO_BTF_ID in tracing bpf prog.
However, task (and cgroup) local storage has already been moved to
bpf mem allocator which can be used after raw_spin_lock.
The splat is for the sk storage. For sk (and inode) storage,
it has not been moved to bpf mem allocator. Using raw_spin_lock or not,
kzalloc(GFP_ATOMIC) could theoretically be unsafe in tracing context.
However, the local storage helper requires a verifier accepted
sk pointer (PTR_TO_BTF_ID), it is hypothetical if that (mean running
a bpf prog in a kzalloc unsafe context and also able to hold a verifier
accepted sk pointer) could happen.
This patch avoids kzalloc after raw_spin_lock to silent the splat.
There is an existing kzalloc before the raw_spin_lock. At that point,
a kzalloc is very likely required because a lookup has just been done
before. Thus, this patch always does the kzalloc before acq
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/bpf_local_storage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "300415caa373a07782fcbc2f8d9429bc2dc27a47",
"status": "affected",
"version": "b00fa38a9c1cba044a32a601b49a55a18ed719d1",
"versionType": "git"
},
{
"lessThan": "a96a44aba556c42b432929d37d60158aca21ad4c",
"status": "affected",
"version": "b00fa38a9c1cba044a32a601b49a55a18ed719d1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/bpf_local_storage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: bpf_sk_storage: Fix invalid wait context lockdep report\n\n\u0027./test_progs -t test_local_storage\u0027 reported a splat:\n\n[ 27.137569] =============================\n[ 27.138122] [ BUG: Invalid wait context ]\n[ 27.138650] 6.5.0-03980-gd11ae1b16b0a #247 Tainted: G O\n[ 27.139542] -----------------------------\n[ 27.140106] test_progs/1729 is trying to lock:\n[ 27.140713] ffff8883ef047b88 (stock_lock){-.-.}-{3:3}, at: local_lock_acquire+0x9/0x130\n[ 27.141834] other info that might help us debug this:\n[ 27.142437] context-{5:5}\n[ 27.142856] 2 locks held by test_progs/1729:\n[ 27.143352] #0: ffffffff84bcd9c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x4/0x40\n[ 27.144492] #1: ffff888107deb2c0 (\u0026storage-\u003elock){..-.}-{2:2}, at: bpf_local_storage_update+0x39e/0x8e0\n[ 27.145855] stack backtrace:\n[ 27.146274] CPU: 0 PID: 1729 Comm: test_progs Tainted: G O 6.5.0-03980-gd11ae1b16b0a #247\n[ 27.147550] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 27.149127] Call Trace:\n[ 27.149490] \u003cTASK\u003e\n[ 27.149867] dump_stack_lvl+0x130/0x1d0\n[ 27.152609] dump_stack+0x14/0x20\n[ 27.153131] __lock_acquire+0x1657/0x2220\n[ 27.153677] lock_acquire+0x1b8/0x510\n[ 27.157908] local_lock_acquire+0x29/0x130\n[ 27.159048] obj_cgroup_charge+0xf4/0x3c0\n[ 27.160794] slab_pre_alloc_hook+0x28e/0x2b0\n[ 27.161931] __kmem_cache_alloc_node+0x51/0x210\n[ 27.163557] __kmalloc+0xaa/0x210\n[ 27.164593] bpf_map_kzalloc+0xbc/0x170\n[ 27.165147] bpf_selem_alloc+0x130/0x510\n[ 27.166295] bpf_local_storage_update+0x5aa/0x8e0\n[ 27.167042] bpf_fd_sk_storage_update_elem+0xdb/0x1a0\n[ 27.169199] bpf_map_update_value+0x415/0x4f0\n[ 27.169871] map_update_elem+0x413/0x550\n[ 27.170330] __sys_bpf+0x5e9/0x640\n[ 27.174065] __x64_sys_bpf+0x80/0x90\n[ 27.174568] do_syscall_64+0x48/0xa0\n[ 27.175201] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 27.175932] RIP: 0033:0x7effb40e41ad\n[ 27.176357] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d8\n[ 27.179028] RSP: 002b:00007ffe64c21fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000141\n[ 27.180088] RAX: ffffffffffffffda RBX: 00007ffe64c22768 RCX: 00007effb40e41ad\n[ 27.181082] RDX: 0000000000000020 RSI: 00007ffe64c22008 RDI: 0000000000000002\n[ 27.182030] RBP: 00007ffe64c21ff0 R08: 0000000000000000 R09: 00007ffe64c22788\n[ 27.183038] R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000000\n[ 27.184006] R13: 00007ffe64c22788 R14: 00007effb42a1000 R15: 0000000000000000\n[ 27.184958] \u003c/TASK\u003e\n\nIt complains about acquiring a local_lock while holding a raw_spin_lock.\nIt means it should not allocate memory while holding a raw_spin_lock\nsince it is not safe for RT.\n\nraw_spin_lock is needed because bpf_local_storage supports tracing\ncontext. In particular for task local storage, it is easy to\nget a \"current\" task PTR_TO_BTF_ID in tracing bpf prog.\nHowever, task (and cgroup) local storage has already been moved to\nbpf mem allocator which can be used after raw_spin_lock.\n\nThe splat is for the sk storage. For sk (and inode) storage,\nit has not been moved to bpf mem allocator. Using raw_spin_lock or not,\nkzalloc(GFP_ATOMIC) could theoretically be unsafe in tracing context.\nHowever, the local storage helper requires a verifier accepted\nsk pointer (PTR_TO_BTF_ID), it is hypothetical if that (mean running\na bpf prog in a kzalloc unsafe context and also able to hold a verifier\naccepted sk pointer) could happen.\n\nThis patch avoids kzalloc after raw_spin_lock to silent the splat.\nThere is an existing kzalloc before the raw_spin_lock. At that point,\na kzalloc is very likely required because a lookup has just been done\nbefore. Thus, this patch always does the kzalloc before acq\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:23.593Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/300415caa373a07782fcbc2f8d9429bc2dc27a47"
},
{
"url": "https://git.kernel.org/stable/c/a96a44aba556c42b432929d37d60158aca21ad4c"
}
],
"title": "bpf: bpf_sk_storage: Fix invalid wait context lockdep report",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53857",
"datePublished": "2025-12-09T01:30:23.593Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:23.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53856 (GCVE-0-2023-53856)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
of: overlay: Call of_changeset_init() early
When of_overlay_fdt_apply() fails, the changeset may be partially
applied, and the caller is still expected to call of_overlay_remove() to
clean up this partial state.
However, of_overlay_apply() calls of_resolve_phandles() before
init_overlay_changeset(). Hence if the overlay fails to apply due to an
unresolved symbol, the overlay_changeset.cset.entries list is still
uninitialized, and cleanup will crash with a NULL-pointer dereference in
overlay_removal_is_ok().
Fix this by moving the call to of_changeset_init() from
init_overlay_changeset() to of_overlay_fdt_apply(), where all other
early initialization is done.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f948d6d8b792bb90041edc12eac35faf83030994 , < 01bb96ad38089f5cc6de7746dac13437d35eb1dc
(git)
Affected: f948d6d8b792bb90041edc12eac35faf83030994 , < 3fb210cd521c9efcb211e9f5ce40fc907200bf13 (git) Affected: f948d6d8b792bb90041edc12eac35faf83030994 , < be86241bf5d1efd16d8a7231c13b33459c5d755d (git) Affected: f948d6d8b792bb90041edc12eac35faf83030994 , < c403c81b577a67fe9ec6a2e89d143256487be50f (git) Affected: f948d6d8b792bb90041edc12eac35faf83030994 , < a9515ff4fb142b690a0d2b58782b15903b990dba (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/of/overlay.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "01bb96ad38089f5cc6de7746dac13437d35eb1dc",
"status": "affected",
"version": "f948d6d8b792bb90041edc12eac35faf83030994",
"versionType": "git"
},
{
"lessThan": "3fb210cd521c9efcb211e9f5ce40fc907200bf13",
"status": "affected",
"version": "f948d6d8b792bb90041edc12eac35faf83030994",
"versionType": "git"
},
{
"lessThan": "be86241bf5d1efd16d8a7231c13b33459c5d755d",
"status": "affected",
"version": "f948d6d8b792bb90041edc12eac35faf83030994",
"versionType": "git"
},
{
"lessThan": "c403c81b577a67fe9ec6a2e89d143256487be50f",
"status": "affected",
"version": "f948d6d8b792bb90041edc12eac35faf83030994",
"versionType": "git"
},
{
"lessThan": "a9515ff4fb142b690a0d2b58782b15903b990dba",
"status": "affected",
"version": "f948d6d8b792bb90041edc12eac35faf83030994",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/of/overlay.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: overlay: Call of_changeset_init() early\n\nWhen of_overlay_fdt_apply() fails, the changeset may be partially\napplied, and the caller is still expected to call of_overlay_remove() to\nclean up this partial state.\n\nHowever, of_overlay_apply() calls of_resolve_phandles() before\ninit_overlay_changeset(). Hence if the overlay fails to apply due to an\nunresolved symbol, the overlay_changeset.cset.entries list is still\nuninitialized, and cleanup will crash with a NULL-pointer dereference in\noverlay_removal_is_ok().\n\nFix this by moving the call to of_changeset_init() from\ninit_overlay_changeset() to of_overlay_fdt_apply(), where all other\nearly initialization is done."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:22.012Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/01bb96ad38089f5cc6de7746dac13437d35eb1dc"
},
{
"url": "https://git.kernel.org/stable/c/3fb210cd521c9efcb211e9f5ce40fc907200bf13"
},
{
"url": "https://git.kernel.org/stable/c/be86241bf5d1efd16d8a7231c13b33459c5d755d"
},
{
"url": "https://git.kernel.org/stable/c/c403c81b577a67fe9ec6a2e89d143256487be50f"
},
{
"url": "https://git.kernel.org/stable/c/a9515ff4fb142b690a0d2b58782b15903b990dba"
}
],
"title": "of: overlay: Call of_changeset_init() early",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53856",
"datePublished": "2025-12-09T01:30:22.012Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:22.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53855 (GCVE-0-2023-53855)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove
When the tagging protocol in current use is "ocelot-8021q" and we unbind
the driver, we see this splat:
$ echo '0000:00:00.2' > /sys/bus/pci/drivers/fsl_enetc/unbind
mscc_felix 0000:00:00.5 swp0: left promiscuous mode
sja1105 spi2.0: Link is Down
DSA: tree 1 torn down
mscc_felix 0000:00:00.5 swp2: left promiscuous mode
sja1105 spi2.2: Link is Down
DSA: tree 3 torn down
fsl_enetc 0000:00:00.2 eno2: left promiscuous mode
mscc_felix 0000:00:00.5: Link is Down
------------[ cut here ]------------
RTNL: assertion failed at net/dsa/tag_8021q.c (409)
WARNING: CPU: 1 PID: 329 at net/dsa/tag_8021q.c:409 dsa_tag_8021q_unregister+0x12c/0x1a0
Modules linked in:
CPU: 1 PID: 329 Comm: bash Not tainted 6.5.0-rc3+ #771
pc : dsa_tag_8021q_unregister+0x12c/0x1a0
lr : dsa_tag_8021q_unregister+0x12c/0x1a0
Call trace:
dsa_tag_8021q_unregister+0x12c/0x1a0
felix_tag_8021q_teardown+0x130/0x150
felix_teardown+0x3c/0xd8
dsa_tree_teardown_switches+0xbc/0xe0
dsa_unregister_switch+0x168/0x260
felix_pci_remove+0x30/0x60
pci_device_remove+0x4c/0x100
device_release_driver_internal+0x188/0x288
device_links_unbind_consumers+0xfc/0x138
device_release_driver_internal+0xe0/0x288
device_driver_detach+0x24/0x38
unbind_store+0xd8/0x108
drv_attr_store+0x30/0x50
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
RTNL: assertion failed at net/8021q/vlan_core.c (376)
WARNING: CPU: 1 PID: 329 at net/8021q/vlan_core.c:376 vlan_vid_del+0x1b8/0x1f0
CPU: 1 PID: 329 Comm: bash Tainted: G W 6.5.0-rc3+ #771
pc : vlan_vid_del+0x1b8/0x1f0
lr : vlan_vid_del+0x1b8/0x1f0
dsa_tag_8021q_unregister+0x8c/0x1a0
felix_tag_8021q_teardown+0x130/0x150
felix_teardown+0x3c/0xd8
dsa_tree_teardown_switches+0xbc/0xe0
dsa_unregister_switch+0x168/0x260
felix_pci_remove+0x30/0x60
pci_device_remove+0x4c/0x100
device_release_driver_internal+0x188/0x288
device_links_unbind_consumers+0xfc/0x138
device_release_driver_internal+0xe0/0x288
device_driver_detach+0x24/0x38
unbind_store+0xd8/0x108
drv_attr_store+0x30/0x50
DSA: tree 0 torn down
This was somewhat not so easy to spot, because "ocelot-8021q" is not the
default tagging protocol, and thus, not everyone who tests the unbinding
path may have switched to it beforehand. The default
felix_tag_npi_teardown() does not require rtnl_lock() to be held.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7c83a7c539abe9f980996063ac20532a7a7f6eb1 , < 758dbcfb257e1aee0a310bae789c2af6ffe35d0f
(git)
Affected: 7c83a7c539abe9f980996063ac20532a7a7f6eb1 , < 7ae8fa6b70975b6efbbef7912d09bff5a0bff491 (git) Affected: 7c83a7c539abe9f980996063ac20532a7a7f6eb1 , < a94c16a2fda010866b8858a386a8bfbeba4f72c5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/ocelot/felix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "758dbcfb257e1aee0a310bae789c2af6ffe35d0f",
"status": "affected",
"version": "7c83a7c539abe9f980996063ac20532a7a7f6eb1",
"versionType": "git"
},
{
"lessThan": "7ae8fa6b70975b6efbbef7912d09bff5a0bff491",
"status": "affected",
"version": "7c83a7c539abe9f980996063ac20532a7a7f6eb1",
"versionType": "git"
},
{
"lessThan": "a94c16a2fda010866b8858a386a8bfbeba4f72c5",
"status": "affected",
"version": "7c83a7c539abe9f980996063ac20532a7a7f6eb1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/ocelot/felix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove\n\nWhen the tagging protocol in current use is \"ocelot-8021q\" and we unbind\nthe driver, we see this splat:\n\n$ echo \u00270000:00:00.2\u0027 \u003e /sys/bus/pci/drivers/fsl_enetc/unbind\nmscc_felix 0000:00:00.5 swp0: left promiscuous mode\nsja1105 spi2.0: Link is Down\nDSA: tree 1 torn down\nmscc_felix 0000:00:00.5 swp2: left promiscuous mode\nsja1105 spi2.2: Link is Down\nDSA: tree 3 torn down\nfsl_enetc 0000:00:00.2 eno2: left promiscuous mode\nmscc_felix 0000:00:00.5: Link is Down\n------------[ cut here ]------------\nRTNL: assertion failed at net/dsa/tag_8021q.c (409)\nWARNING: CPU: 1 PID: 329 at net/dsa/tag_8021q.c:409 dsa_tag_8021q_unregister+0x12c/0x1a0\nModules linked in:\nCPU: 1 PID: 329 Comm: bash Not tainted 6.5.0-rc3+ #771\npc : dsa_tag_8021q_unregister+0x12c/0x1a0\nlr : dsa_tag_8021q_unregister+0x12c/0x1a0\nCall trace:\n dsa_tag_8021q_unregister+0x12c/0x1a0\n felix_tag_8021q_teardown+0x130/0x150\n felix_teardown+0x3c/0xd8\n dsa_tree_teardown_switches+0xbc/0xe0\n dsa_unregister_switch+0x168/0x260\n felix_pci_remove+0x30/0x60\n pci_device_remove+0x4c/0x100\n device_release_driver_internal+0x188/0x288\n device_links_unbind_consumers+0xfc/0x138\n device_release_driver_internal+0xe0/0x288\n device_driver_detach+0x24/0x38\n unbind_store+0xd8/0x108\n drv_attr_store+0x30/0x50\n---[ end trace 0000000000000000 ]---\n------------[ cut here ]------------\nRTNL: assertion failed at net/8021q/vlan_core.c (376)\nWARNING: CPU: 1 PID: 329 at net/8021q/vlan_core.c:376 vlan_vid_del+0x1b8/0x1f0\nCPU: 1 PID: 329 Comm: bash Tainted: G W 6.5.0-rc3+ #771\npc : vlan_vid_del+0x1b8/0x1f0\nlr : vlan_vid_del+0x1b8/0x1f0\n dsa_tag_8021q_unregister+0x8c/0x1a0\n felix_tag_8021q_teardown+0x130/0x150\n felix_teardown+0x3c/0xd8\n dsa_tree_teardown_switches+0xbc/0xe0\n dsa_unregister_switch+0x168/0x260\n felix_pci_remove+0x30/0x60\n pci_device_remove+0x4c/0x100\n device_release_driver_internal+0x188/0x288\n device_links_unbind_consumers+0xfc/0x138\n device_release_driver_internal+0xe0/0x288\n device_driver_detach+0x24/0x38\n unbind_store+0xd8/0x108\n drv_attr_store+0x30/0x50\nDSA: tree 0 torn down\n\nThis was somewhat not so easy to spot, because \"ocelot-8021q\" is not the\ndefault tagging protocol, and thus, not everyone who tests the unbinding\npath may have switched to it beforehand. The default\nfelix_tag_npi_teardown() does not require rtnl_lock() to be held."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:20.864Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/758dbcfb257e1aee0a310bae789c2af6ffe35d0f"
},
{
"url": "https://git.kernel.org/stable/c/7ae8fa6b70975b6efbbef7912d09bff5a0bff491"
},
{
"url": "https://git.kernel.org/stable/c/a94c16a2fda010866b8858a386a8bfbeba4f72c5"
}
],
"title": "net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53855",
"datePublished": "2025-12-09T01:30:20.864Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:20.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53854 (GCVE-0-2023-53854)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: mediatek: mt8186: Fix use-after-free in driver remove path
When devm runs function in the "remove" path for a device it runs them
in the reverse order. That means that if you have parts of your driver
that aren't using devm or are using "roll your own" devm w/
devm_add_action_or_reset() you need to keep that in mind.
The mt8186 audio driver didn't quite get this right. Specifically, in
mt8186_init_clock() it called mt8186_audsys_clk_register() and then
went on to call a bunch of other devm function. The caller of
mt8186_init_clock() used devm_add_action_or_reset() to call
mt8186_deinit_clock() but, because of the intervening devm functions,
the order was wrong.
Specifically at probe time, the order was:
1. mt8186_audsys_clk_register()
2. afe_priv->clk = devm_kcalloc(...)
3. afe_priv->clk[i] = devm_clk_get(...)
At remove time, the order (which should have been 3, 2, 1) was:
1. mt8186_audsys_clk_unregister()
3. Free all of afe_priv->clk[i]
2. Free afe_priv->clk
The above seemed to be causing a use-after-free. Luckily, it's easy to
fix this by simply using devm more correctly. Let's move the
devm_add_action_or_reset() to the right place. In addition to fixing
the use-after-free, code inspection shows that this fixes a leak
(missing call to mt8186_audsys_clk_unregister()) that would have
happened if any of the syscon_regmap_lookup_by_phandle() calls in
mt8186_init_clock() had failed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
55b423d5623ccd6785429431c2cf5f3e073b73ba , < 3e56a1c04882852e3e7d6c59756a16211ebbc457
(git)
Affected: 55b423d5623ccd6785429431c2cf5f3e073b73ba , < dffd9e2b57cb845930fa885aa634a847ba2130dd (git) Affected: 55b423d5623ccd6785429431c2cf5f3e073b73ba , < a93d2afd3f77a7331271a0f25c6a11003db69b3c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/mediatek/mt8186/mt8186-afe-clk.c",
"sound/soc/mediatek/mt8186/mt8186-afe-clk.h",
"sound/soc/mediatek/mt8186/mt8186-afe-pcm.c",
"sound/soc/mediatek/mt8186/mt8186-audsys-clk.c",
"sound/soc/mediatek/mt8186/mt8186-audsys-clk.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e56a1c04882852e3e7d6c59756a16211ebbc457",
"status": "affected",
"version": "55b423d5623ccd6785429431c2cf5f3e073b73ba",
"versionType": "git"
},
{
"lessThan": "dffd9e2b57cb845930fa885aa634a847ba2130dd",
"status": "affected",
"version": "55b423d5623ccd6785429431c2cf5f3e073b73ba",
"versionType": "git"
},
{
"lessThan": "a93d2afd3f77a7331271a0f25c6a11003db69b3c",
"status": "affected",
"version": "55b423d5623ccd6785429431c2cf5f3e073b73ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/mediatek/mt8186/mt8186-afe-clk.c",
"sound/soc/mediatek/mt8186/mt8186-afe-clk.h",
"sound/soc/mediatek/mt8186/mt8186-afe-pcm.c",
"sound/soc/mediatek/mt8186/mt8186-audsys-clk.c",
"sound/soc/mediatek/mt8186/mt8186-audsys-clk.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: mt8186: Fix use-after-free in driver remove path\n\nWhen devm runs function in the \"remove\" path for a device it runs them\nin the reverse order. That means that if you have parts of your driver\nthat aren\u0027t using devm or are using \"roll your own\" devm w/\ndevm_add_action_or_reset() you need to keep that in mind.\n\nThe mt8186 audio driver didn\u0027t quite get this right. Specifically, in\nmt8186_init_clock() it called mt8186_audsys_clk_register() and then\nwent on to call a bunch of other devm function. The caller of\nmt8186_init_clock() used devm_add_action_or_reset() to call\nmt8186_deinit_clock() but, because of the intervening devm functions,\nthe order was wrong.\n\nSpecifically at probe time, the order was:\n1. mt8186_audsys_clk_register()\n2. afe_priv-\u003eclk = devm_kcalloc(...)\n3. afe_priv-\u003eclk[i] = devm_clk_get(...)\n\nAt remove time, the order (which should have been 3, 2, 1) was:\n1. mt8186_audsys_clk_unregister()\n3. Free all of afe_priv-\u003eclk[i]\n2. Free afe_priv-\u003eclk\n\nThe above seemed to be causing a use-after-free. Luckily, it\u0027s easy to\nfix this by simply using devm more correctly. Let\u0027s move the\ndevm_add_action_or_reset() to the right place. In addition to fixing\nthe use-after-free, code inspection shows that this fixes a leak\n(missing call to mt8186_audsys_clk_unregister()) that would have\nhappened if any of the syscon_regmap_lookup_by_phandle() calls in\nmt8186_init_clock() had failed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:19.746Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e56a1c04882852e3e7d6c59756a16211ebbc457"
},
{
"url": "https://git.kernel.org/stable/c/dffd9e2b57cb845930fa885aa634a847ba2130dd"
},
{
"url": "https://git.kernel.org/stable/c/a93d2afd3f77a7331271a0f25c6a11003db69b3c"
}
],
"title": "ASoC: mediatek: mt8186: Fix use-after-free in driver remove path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53854",
"datePublished": "2025-12-09T01:30:19.746Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:19.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53853 (GCVE-0-2023-53853)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlink: annotate accesses to nlk->cb_running
Both netlink_recvmsg() and netlink_native_seq_show() read
nlk->cb_running locklessly. Use READ_ONCE() there.
Add corresponding WRITE_ONCE() to netlink_dump() and
__netlink_dump_start()
syzbot reported:
BUG: KCSAN: data-race in __netlink_dump_start / netlink_recvmsg
write to 0xffff88813ea4db59 of 1 bytes by task 28219 on cpu 0:
__netlink_dump_start+0x3af/0x4d0 net/netlink/af_netlink.c:2399
netlink_dump_start include/linux/netlink.h:308 [inline]
rtnetlink_rcv_msg+0x70f/0x8c0 net/core/rtnetlink.c:6130
netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2577
rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6192
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1942
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg net/socket.c:747 [inline]
sock_write_iter+0x1aa/0x230 net/socket.c:1138
call_write_iter include/linux/fs.h:1851 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x463/0x760 fs/read_write.c:584
ksys_write+0xeb/0x1a0 fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__x64_sys_write+0x42/0x50 fs/read_write.c:646
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read to 0xffff88813ea4db59 of 1 bytes by task 28222 on cpu 1:
netlink_recvmsg+0x3b4/0x730 net/netlink/af_netlink.c:2022
sock_recvmsg_nosec+0x4c/0x80 net/socket.c:1017
____sys_recvmsg+0x2db/0x310 net/socket.c:2718
___sys_recvmsg net/socket.c:2762 [inline]
do_recvmmsg+0x2e5/0x710 net/socket.c:2856
__sys_recvmmsg net/socket.c:2935 [inline]
__do_sys_recvmmsg net/socket.c:2958 [inline]
__se_sys_recvmmsg net/socket.c:2951 [inline]
__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x00 -> 0x01
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
16b304f3404f8e0243d5ee2b70b68767b7b59b2b , < e25e9d8a210ed78bdf0f364576dbee13aefadbf8
(git)
Affected: 16b304f3404f8e0243d5ee2b70b68767b7b59b2b , < 840a647499b093621167de56ffa8756dfc69f242 (git) Affected: 16b304f3404f8e0243d5ee2b70b68767b7b59b2b , < a507022c862e10744a92c4bf5709775450a110ad (git) Affected: 16b304f3404f8e0243d5ee2b70b68767b7b59b2b , < f92557f79a60cb142258f5fa7194f327573fadd8 (git) Affected: 16b304f3404f8e0243d5ee2b70b68767b7b59b2b , < 1d5c8b01f1df0461256a6d75854ed806f50645a3 (git) Affected: 16b304f3404f8e0243d5ee2b70b68767b7b59b2b , < a115dadf8995b1730c36c474401d97355705cb88 (git) Affected: 16b304f3404f8e0243d5ee2b70b68767b7b59b2b , < 02e7afd659a4c9ce1e98fc01ab4c510f3de1f0b3 (git) Affected: 16b304f3404f8e0243d5ee2b70b68767b7b59b2b , < a939d14919b799e6fff8a9c80296ca229ba2f8a4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e25e9d8a210ed78bdf0f364576dbee13aefadbf8",
"status": "affected",
"version": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b",
"versionType": "git"
},
{
"lessThan": "840a647499b093621167de56ffa8756dfc69f242",
"status": "affected",
"version": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b",
"versionType": "git"
},
{
"lessThan": "a507022c862e10744a92c4bf5709775450a110ad",
"status": "affected",
"version": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b",
"versionType": "git"
},
{
"lessThan": "f92557f79a60cb142258f5fa7194f327573fadd8",
"status": "affected",
"version": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b",
"versionType": "git"
},
{
"lessThan": "1d5c8b01f1df0461256a6d75854ed806f50645a3",
"status": "affected",
"version": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b",
"versionType": "git"
},
{
"lessThan": "a115dadf8995b1730c36c474401d97355705cb88",
"status": "affected",
"version": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b",
"versionType": "git"
},
{
"lessThan": "02e7afd659a4c9ce1e98fc01ab4c510f3de1f0b3",
"status": "affected",
"version": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b",
"versionType": "git"
},
{
"lessThan": "a939d14919b799e6fff8a9c80296ca229ba2f8a4",
"status": "affected",
"version": "16b304f3404f8e0243d5ee2b70b68767b7b59b2b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netlink/af_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: annotate accesses to nlk-\u003ecb_running\n\nBoth netlink_recvmsg() and netlink_native_seq_show() read\nnlk-\u003ecb_running locklessly. Use READ_ONCE() there.\n\nAdd corresponding WRITE_ONCE() to netlink_dump() and\n__netlink_dump_start()\n\nsyzbot reported:\nBUG: KCSAN: data-race in __netlink_dump_start / netlink_recvmsg\n\nwrite to 0xffff88813ea4db59 of 1 bytes by task 28219 on cpu 0:\n__netlink_dump_start+0x3af/0x4d0 net/netlink/af_netlink.c:2399\nnetlink_dump_start include/linux/netlink.h:308 [inline]\nrtnetlink_rcv_msg+0x70f/0x8c0 net/core/rtnetlink.c:6130\nnetlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2577\nrtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6192\nnetlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\nnetlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365\nnetlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1942\nsock_sendmsg_nosec net/socket.c:724 [inline]\nsock_sendmsg net/socket.c:747 [inline]\nsock_write_iter+0x1aa/0x230 net/socket.c:1138\ncall_write_iter include/linux/fs.h:1851 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x463/0x760 fs/read_write.c:584\nksys_write+0xeb/0x1a0 fs/read_write.c:637\n__do_sys_write fs/read_write.c:649 [inline]\n__se_sys_write fs/read_write.c:646 [inline]\n__x64_sys_write+0x42/0x50 fs/read_write.c:646\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffff88813ea4db59 of 1 bytes by task 28222 on cpu 1:\nnetlink_recvmsg+0x3b4/0x730 net/netlink/af_netlink.c:2022\nsock_recvmsg_nosec+0x4c/0x80 net/socket.c:1017\n____sys_recvmsg+0x2db/0x310 net/socket.c:2718\n___sys_recvmsg net/socket.c:2762 [inline]\ndo_recvmmsg+0x2e5/0x710 net/socket.c:2856\n__sys_recvmmsg net/socket.c:2935 [inline]\n__do_sys_recvmmsg net/socket.c:2958 [inline]\n__se_sys_recvmmsg net/socket.c:2951 [inline]\n__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x00 -\u003e 0x01"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:18.628Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e25e9d8a210ed78bdf0f364576dbee13aefadbf8"
},
{
"url": "https://git.kernel.org/stable/c/840a647499b093621167de56ffa8756dfc69f242"
},
{
"url": "https://git.kernel.org/stable/c/a507022c862e10744a92c4bf5709775450a110ad"
},
{
"url": "https://git.kernel.org/stable/c/f92557f79a60cb142258f5fa7194f327573fadd8"
},
{
"url": "https://git.kernel.org/stable/c/1d5c8b01f1df0461256a6d75854ed806f50645a3"
},
{
"url": "https://git.kernel.org/stable/c/a115dadf8995b1730c36c474401d97355705cb88"
},
{
"url": "https://git.kernel.org/stable/c/02e7afd659a4c9ce1e98fc01ab4c510f3de1f0b3"
},
{
"url": "https://git.kernel.org/stable/c/a939d14919b799e6fff8a9c80296ca229ba2f8a4"
}
],
"title": "netlink: annotate accesses to nlk-\u003ecb_running",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53853",
"datePublished": "2025-12-09T01:30:18.628Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:18.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53852 (GCVE-0-2023-53852)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-core: fix memory leak in dhchap_secret_store
Free dhchap_secret in nvme_ctrl_dhchap_secret_store() before we return
fix following kmemleack:-
unreferenced object 0xffff8886376ea800 (size 64):
comm "check", pid 22048, jiffies 4344316705 (age 92.199s)
hex dump (first 32 bytes):
44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg
75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL
backtrace:
[<0000000030ce5d4b>] __kmalloc+0x4b/0x130
[<000000009be1cdc1>] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core]
[<00000000ac06c96a>] kernfs_fop_write_iter+0x12b/0x1c0
[<00000000437e7ced>] vfs_write+0x2ba/0x3c0
[<00000000f9491baf>] ksys_write+0x5f/0xe0
[<000000001c46513d>] do_syscall_64+0x3b/0x90
[<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
unreferenced object 0xffff8886376eaf00 (size 64):
comm "check", pid 22048, jiffies 4344316736 (age 92.168s)
hex dump (first 32 bytes):
44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg
75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL
backtrace:
[<0000000030ce5d4b>] __kmalloc+0x4b/0x130
[<000000009be1cdc1>] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core]
[<00000000ac06c96a>] kernfs_fop_write_iter+0x12b/0x1c0
[<00000000437e7ced>] vfs_write+0x2ba/0x3c0
[<00000000f9491baf>] ksys_write+0x5f/0xe0
[<000000001c46513d>] do_syscall_64+0x3b/0x90
[<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < 2e9b141307554521d60fecf6bf1d2edc8dd0181d
(git)
Affected: f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < c41ac086d2abaf7527a5685f9c0a1c209ab7e0aa (git) Affected: f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < 6a5eda5017959541ab82c5d56bcf784b8294e298 (git) Affected: f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < a836ca33c5b07d34dd5347af9f64d25651d12674 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e9b141307554521d60fecf6bf1d2edc8dd0181d",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "c41ac086d2abaf7527a5685f9c0a1c209ab7e0aa",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "6a5eda5017959541ab82c5d56bcf784b8294e298",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "a836ca33c5b07d34dd5347af9f64d25651d12674",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-core: fix memory leak in dhchap_secret_store\n\nFree dhchap_secret in nvme_ctrl_dhchap_secret_store() before we return\nfix following kmemleack:-\n\nunreferenced object 0xffff8886376ea800 (size 64):\n comm \"check\", pid 22048, jiffies 4344316705 (age 92.199s)\n hex dump (first 32 bytes):\n 44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg\n 75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL\n backtrace:\n [\u003c0000000030ce5d4b\u003e] __kmalloc+0x4b/0x130\n [\u003c000000009be1cdc1\u003e] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core]\n [\u003c00000000ac06c96a\u003e] kernfs_fop_write_iter+0x12b/0x1c0\n [\u003c00000000437e7ced\u003e] vfs_write+0x2ba/0x3c0\n [\u003c00000000f9491baf\u003e] ksys_write+0x5f/0xe0\n [\u003c000000001c46513d\u003e] do_syscall_64+0x3b/0x90\n [\u003c00000000ecf348fe\u003e] entry_SYSCALL_64_after_hwframe+0x72/0xdc\nunreferenced object 0xffff8886376eaf00 (size 64):\n comm \"check\", pid 22048, jiffies 4344316736 (age 92.168s)\n hex dump (first 32 bytes):\n 44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg\n 75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL\n backtrace:\n [\u003c0000000030ce5d4b\u003e] __kmalloc+0x4b/0x130\n [\u003c000000009be1cdc1\u003e] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core]\n [\u003c00000000ac06c96a\u003e] kernfs_fop_write_iter+0x12b/0x1c0\n [\u003c00000000437e7ced\u003e] vfs_write+0x2ba/0x3c0\n [\u003c00000000f9491baf\u003e] ksys_write+0x5f/0xe0\n [\u003c000000001c46513d\u003e] do_syscall_64+0x3b/0x90\n [\u003c00000000ecf348fe\u003e] entry_SYSCALL_64_after_hwframe+0x72/0xdc"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:17.449Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e9b141307554521d60fecf6bf1d2edc8dd0181d"
},
{
"url": "https://git.kernel.org/stable/c/c41ac086d2abaf7527a5685f9c0a1c209ab7e0aa"
},
{
"url": "https://git.kernel.org/stable/c/6a5eda5017959541ab82c5d56bcf784b8294e298"
},
{
"url": "https://git.kernel.org/stable/c/a836ca33c5b07d34dd5347af9f64d25651d12674"
}
],
"title": "nvme-core: fix memory leak in dhchap_secret_store",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53852",
"datePublished": "2025-12-09T01:30:17.449Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:17.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53851 (GCVE-0-2023-53851)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dp: Drop aux devices together with DP controller
Using devres to depopulate the aux bus made sure that upon a probe
deferral the EDP panel device would be destroyed and recreated upon next
attempt.
But the struct device which the devres is tied to is the DPUs
(drm_dev->dev), which may be happen after the DP controller is torn
down.
Indications of this can be seen in the commonly seen EDID-hexdump full
of zeros in the log, or the occasional/rare KASAN fault where the
panel's attempt to read the EDID information causes a use after free on
DP resources.
It's tempting to move the devres to the DP controller's struct device,
but the resources used by the device(s) on the aux bus are explicitly
torn down in the error path. The KASAN-reported use-after-free also
remains, as the DP aux "module" explicitly frees its devres-allocated
memory in this code path.
As such, explicitly depopulate the aux bus in the error path, and in the
component unbind path, to avoid these issues.
Patchwork: https://patchwork.freedesktop.org/patch/542163/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2b57f726611e294dc4297dd48eb8c98ef1938e82 , < e09ed06938807cb113cddd0708ed74bd8cdaff33
(git)
Affected: 2b57f726611e294dc4297dd48eb8c98ef1938e82 , < 2fde37445807e6e6d7981402d0bf1be0e5d81291 (git) Affected: 2b57f726611e294dc4297dd48eb8c98ef1938e82 , < a7bfb2ad2184a1fba78be35209b6019aa8cc8d4d (git) Affected: 8768663188e4169333f66583e4d2432e65c421df (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dp/dp_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e09ed06938807cb113cddd0708ed74bd8cdaff33",
"status": "affected",
"version": "2b57f726611e294dc4297dd48eb8c98ef1938e82",
"versionType": "git"
},
{
"lessThan": "2fde37445807e6e6d7981402d0bf1be0e5d81291",
"status": "affected",
"version": "2b57f726611e294dc4297dd48eb8c98ef1938e82",
"versionType": "git"
},
{
"lessThan": "a7bfb2ad2184a1fba78be35209b6019aa8cc8d4d",
"status": "affected",
"version": "2b57f726611e294dc4297dd48eb8c98ef1938e82",
"versionType": "git"
},
{
"status": "affected",
"version": "8768663188e4169333f66583e4d2432e65c421df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dp/dp_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: Drop aux devices together with DP controller\n\nUsing devres to depopulate the aux bus made sure that upon a probe\ndeferral the EDP panel device would be destroyed and recreated upon next\nattempt.\n\nBut the struct device which the devres is tied to is the DPUs\n(drm_dev-\u003edev), which may be happen after the DP controller is torn\ndown.\n\nIndications of this can be seen in the commonly seen EDID-hexdump full\nof zeros in the log, or the occasional/rare KASAN fault where the\npanel\u0027s attempt to read the EDID information causes a use after free on\nDP resources.\n\nIt\u0027s tempting to move the devres to the DP controller\u0027s struct device,\nbut the resources used by the device(s) on the aux bus are explicitly\ntorn down in the error path. The KASAN-reported use-after-free also\nremains, as the DP aux \"module\" explicitly frees its devres-allocated\nmemory in this code path.\n\nAs such, explicitly depopulate the aux bus in the error path, and in the\ncomponent unbind path, to avoid these issues.\n\nPatchwork: https://patchwork.freedesktop.org/patch/542163/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:16.081Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e09ed06938807cb113cddd0708ed74bd8cdaff33"
},
{
"url": "https://git.kernel.org/stable/c/2fde37445807e6e6d7981402d0bf1be0e5d81291"
},
{
"url": "https://git.kernel.org/stable/c/a7bfb2ad2184a1fba78be35209b6019aa8cc8d4d"
}
],
"title": "drm/msm/dp: Drop aux devices together with DP controller",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53851",
"datePublished": "2025-12-09T01:30:16.081Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:16.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53850 (GCVE-0-2023-53850)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iavf: use internal state to free traffic IRQs
If the system tries to close the netdev while iavf_reset_task() is
running, __LINK_STATE_START will be cleared and netif_running() will
return false in iavf_reinit_interrupt_scheme(). This will result in
iavf_free_traffic_irqs() not being called and a leak as follows:
[7632.489326] remove_proc_entry: removing non-empty directory 'irq/999', leaking at least 'iavf-enp24s0f0v0-TxRx-0'
[7632.490214] WARNING: CPU: 0 PID: 10 at fs/proc/generic.c:718 remove_proc_entry+0x19b/0x1b0
is shown when pci_disable_msix() is later called. Fix by using the
internal adapter state. The traffic IRQs will always exist if
state == __IAVF_RUNNING.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5b36e8d04b4439c9ceb814bfdfe1284737f9c632 , < 6d9d01689b82ff5cb8f8d2a82717d7997bc0bfff
(git)
Affected: 5b36e8d04b4439c9ceb814bfdfe1284737f9c632 , < 5e9db32eec628481f5da97a5b1aedb84a5240d18 (git) Affected: 5b36e8d04b4439c9ceb814bfdfe1284737f9c632 , < a77ed5c5b768e9649be240a2d864e5cd9c6a2015 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6d9d01689b82ff5cb8f8d2a82717d7997bc0bfff",
"status": "affected",
"version": "5b36e8d04b4439c9ceb814bfdfe1284737f9c632",
"versionType": "git"
},
{
"lessThan": "5e9db32eec628481f5da97a5b1aedb84a5240d18",
"status": "affected",
"version": "5b36e8d04b4439c9ceb814bfdfe1284737f9c632",
"versionType": "git"
},
{
"lessThan": "a77ed5c5b768e9649be240a2d864e5cd9c6a2015",
"status": "affected",
"version": "5b36e8d04b4439c9ceb814bfdfe1284737f9c632",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: use internal state to free traffic IRQs\n\nIf the system tries to close the netdev while iavf_reset_task() is\nrunning, __LINK_STATE_START will be cleared and netif_running() will\nreturn false in iavf_reinit_interrupt_scheme(). This will result in\niavf_free_traffic_irqs() not being called and a leak as follows:\n\n [7632.489326] remove_proc_entry: removing non-empty directory \u0027irq/999\u0027, leaking at least \u0027iavf-enp24s0f0v0-TxRx-0\u0027\n [7632.490214] WARNING: CPU: 0 PID: 10 at fs/proc/generic.c:718 remove_proc_entry+0x19b/0x1b0\n\nis shown when pci_disable_msix() is later called. Fix by using the\ninternal adapter state. The traffic IRQs will always exist if\nstate == __IAVF_RUNNING."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:14.740Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6d9d01689b82ff5cb8f8d2a82717d7997bc0bfff"
},
{
"url": "https://git.kernel.org/stable/c/5e9db32eec628481f5da97a5b1aedb84a5240d18"
},
{
"url": "https://git.kernel.org/stable/c/a77ed5c5b768e9649be240a2d864e5cd9c6a2015"
}
],
"title": "iavf: use internal state to free traffic IRQs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53850",
"datePublished": "2025-12-09T01:30:14.740Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:14.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53849 (GCVE-0-2023-53849)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: fix workqueue leak on bind errors
Make sure to destroy the workqueue also in case of early errors during
bind (e.g. a subcomponent failing to bind).
Since commit c3b790ea07a1 ("drm: Manage drm_mode_config_init with
drmm_") the mode config will be freed when the drm device is released
also when using the legacy interface, but add an explicit cleanup for
consistency and to facilitate backporting.
Patchwork: https://patchwork.freedesktop.org/patch/525093/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
060530f1ea6740eb767085008d183f89ccdd289c , < 6e1476225ec02eeebc4b79f793506f80bc4bca8f
(git)
Affected: 060530f1ea6740eb767085008d183f89ccdd289c , < 28e34db2f3e0130872e2384dd9df9f82bd89e967 (git) Affected: 060530f1ea6740eb767085008d183f89ccdd289c , < 8551c4b7c8ffb42f759547e5c39da5980abf2432 (git) Affected: 060530f1ea6740eb767085008d183f89ccdd289c , < a75b49db6529b2af049eafd938fae888451c3685 (git) Affected: 3e796097404e325fa8d4f48a2af61f2e01e3ef02 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e1476225ec02eeebc4b79f793506f80bc4bca8f",
"status": "affected",
"version": "060530f1ea6740eb767085008d183f89ccdd289c",
"versionType": "git"
},
{
"lessThan": "28e34db2f3e0130872e2384dd9df9f82bd89e967",
"status": "affected",
"version": "060530f1ea6740eb767085008d183f89ccdd289c",
"versionType": "git"
},
{
"lessThan": "8551c4b7c8ffb42f759547e5c39da5980abf2432",
"status": "affected",
"version": "060530f1ea6740eb767085008d183f89ccdd289c",
"versionType": "git"
},
{
"lessThan": "a75b49db6529b2af049eafd938fae888451c3685",
"status": "affected",
"version": "060530f1ea6740eb767085008d183f89ccdd289c",
"versionType": "git"
},
{
"status": "affected",
"version": "3e796097404e325fa8d4f48a2af61f2e01e3ef02",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.41",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: fix workqueue leak on bind errors\n\nMake sure to destroy the workqueue also in case of early errors during\nbind (e.g. a subcomponent failing to bind).\n\nSince commit c3b790ea07a1 (\"drm: Manage drm_mode_config_init with\ndrmm_\") the mode config will be freed when the drm device is released\nalso when using the legacy interface, but add an explicit cleanup for\nconsistency and to facilitate backporting.\n\nPatchwork: https://patchwork.freedesktop.org/patch/525093/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:13.402Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e1476225ec02eeebc4b79f793506f80bc4bca8f"
},
{
"url": "https://git.kernel.org/stable/c/28e34db2f3e0130872e2384dd9df9f82bd89e967"
},
{
"url": "https://git.kernel.org/stable/c/8551c4b7c8ffb42f759547e5c39da5980abf2432"
},
{
"url": "https://git.kernel.org/stable/c/a75b49db6529b2af049eafd938fae888451c3685"
}
],
"title": "drm/msm: fix workqueue leak on bind errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53849",
"datePublished": "2025-12-09T01:30:13.402Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:13.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53848 (GCVE-0-2023-53848)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid5-cache: fix a deadlock in r5l_exit_log()
Commit b13015af94cf ("md/raid5-cache: Clear conf->log after finishing
work") introduce a new problem:
// caller hold reconfig_mutex
r5l_exit_log
flush_work(&log->disable_writeback_work)
r5c_disable_writeback_async
wait_event
/*
* conf->log is not NULL, and mddev_trylock()
* will fail, wait_event() can never pass.
*/
conf->log = NULL
Fix this problem by setting 'config->log' to NULL before wake_up() as it
used to be, so that wait_event() from r5c_disable_writeback_async() can
exist. In the meantime, move forward md_unregister_thread() so that
null-ptr-deref this commit fixed can still be fixed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b13015af94cf405f73ff64ce0797269554020c37 , < ac9e103f282a7854f3274ef5ff0742fbbe8d7d6b
(git)
Affected: b13015af94cf405f73ff64ce0797269554020c37 , < 71cf23271f015a57038bdc4669952096f9fe5500 (git) Affected: b13015af94cf405f73ff64ce0797269554020c37 , < c406984738215dc20ac2dc63e49d70f20797730e (git) Affected: b13015af94cf405f73ff64ce0797269554020c37 , < a705b11b358dee677aad80630e7608b2d5f56691 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5-cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac9e103f282a7854f3274ef5ff0742fbbe8d7d6b",
"status": "affected",
"version": "b13015af94cf405f73ff64ce0797269554020c37",
"versionType": "git"
},
{
"lessThan": "71cf23271f015a57038bdc4669952096f9fe5500",
"status": "affected",
"version": "b13015af94cf405f73ff64ce0797269554020c37",
"versionType": "git"
},
{
"lessThan": "c406984738215dc20ac2dc63e49d70f20797730e",
"status": "affected",
"version": "b13015af94cf405f73ff64ce0797269554020c37",
"versionType": "git"
},
{
"lessThan": "a705b11b358dee677aad80630e7608b2d5f56691",
"status": "affected",
"version": "b13015af94cf405f73ff64ce0797269554020c37",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5-cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5-cache: fix a deadlock in r5l_exit_log()\n\nCommit b13015af94cf (\"md/raid5-cache: Clear conf-\u003elog after finishing\nwork\") introduce a new problem:\n\n// caller hold reconfig_mutex\nr5l_exit_log\n flush_work(\u0026log-\u003edisable_writeback_work)\n\t\t\tr5c_disable_writeback_async\n\t\t\t wait_event\n\t\t\t /*\n\t\t\t * conf-\u003elog is not NULL, and mddev_trylock()\n\t\t\t * will fail, wait_event() can never pass.\n\t\t\t */\n conf-\u003elog = NULL\n\nFix this problem by setting \u0027config-\u003elog\u0027 to NULL before wake_up() as it\nused to be, so that wait_event() from r5c_disable_writeback_async() can\nexist. In the meantime, move forward md_unregister_thread() so that\nnull-ptr-deref this commit fixed can still be fixed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:11.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac9e103f282a7854f3274ef5ff0742fbbe8d7d6b"
},
{
"url": "https://git.kernel.org/stable/c/71cf23271f015a57038bdc4669952096f9fe5500"
},
{
"url": "https://git.kernel.org/stable/c/c406984738215dc20ac2dc63e49d70f20797730e"
},
{
"url": "https://git.kernel.org/stable/c/a705b11b358dee677aad80630e7608b2d5f56691"
}
],
"title": "md/raid5-cache: fix a deadlock in r5l_exit_log()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53848",
"datePublished": "2025-12-09T01:30:11.895Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:11.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53847 (GCVE-0-2023-53847)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb-storage: alauda: Fix uninit-value in alauda_check_media()
Syzbot got KMSAN to complain about access to an uninitialized value in
the alauda subdriver of usb-storage:
BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0
drivers/usb/storage/alauda.c:1137
CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x191/0x1f0 lib/dump_stack.c:113
kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108
__msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250
alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460
The problem is that alauda_check_media() doesn't verify that its USB
transfer succeeded before trying to use the received data. What
should happen if the transfer fails isn't entirely clear, but a
reasonably conservative approach is to pretend that no media is
present.
A similar problem exists in a usb_stor_dbg() call in
alauda_get_media_status(). In this case, when an error occurs the
call is redundant, because usb_stor_ctrl_transfer() already will print
a debugging message.
Finally, unrelated to the uninitialized memory access, is the fact
that alauda_check_media() performs DMA to a buffer on the stack.
Fortunately usb-storage provides a general purpose DMA-able buffer for
uses like this. We'll use it instead.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 153c3e85873cc3e2f387169783c3a227bad9a95a
(git)
Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 49d380bcd6cba987c6085fae6464c9c087e8d9a0 (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 044f4446e06bb03c52216697b14867ebc555ad3b (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < fe7c3a445d22783d27fe8bd0521a8aab1eb9da65 (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 7a11d1e2625bdb2346f6586773b20b20977278ac (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 0d2d5282d39aed6f27dfe1ed60a5f3934ebd21cd (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 373e0ab8c4c516561493f1acf367c7ee7dc053c2 (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < a6ff6e7a9dd69364547751db0f626a10a6d628d2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/alauda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "153c3e85873cc3e2f387169783c3a227bad9a95a",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "49d380bcd6cba987c6085fae6464c9c087e8d9a0",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "044f4446e06bb03c52216697b14867ebc555ad3b",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "fe7c3a445d22783d27fe8bd0521a8aab1eb9da65",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "7a11d1e2625bdb2346f6586773b20b20977278ac",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "0d2d5282d39aed6f27dfe1ed60a5f3934ebd21cd",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "373e0ab8c4c516561493f1acf367c7ee7dc053c2",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "a6ff6e7a9dd69364547751db0f626a10a6d628d2",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/alauda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.323",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb-storage: alauda: Fix uninit-value in alauda_check_media()\n\nSyzbot got KMSAN to complain about access to an uninitialized value in\nthe alauda subdriver of usb-storage:\n\nBUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0\ndrivers/usb/storage/alauda.c:1137\nCPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS\nGoogle 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x191/0x1f0 lib/dump_stack.c:113\n kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108\n __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250\n alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460\n\nThe problem is that alauda_check_media() doesn\u0027t verify that its USB\ntransfer succeeded before trying to use the received data. What\nshould happen if the transfer fails isn\u0027t entirely clear, but a\nreasonably conservative approach is to pretend that no media is\npresent.\n\nA similar problem exists in a usb_stor_dbg() call in\nalauda_get_media_status(). In this case, when an error occurs the\ncall is redundant, because usb_stor_ctrl_transfer() already will print\na debugging message.\n\nFinally, unrelated to the uninitialized memory access, is the fact\nthat alauda_check_media() performs DMA to a buffer on the stack.\nFortunately usb-storage provides a general purpose DMA-able buffer for\nuses like this. We\u0027ll use it instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:10.344Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/153c3e85873cc3e2f387169783c3a227bad9a95a"
},
{
"url": "https://git.kernel.org/stable/c/49d380bcd6cba987c6085fae6464c9c087e8d9a0"
},
{
"url": "https://git.kernel.org/stable/c/044f4446e06bb03c52216697b14867ebc555ad3b"
},
{
"url": "https://git.kernel.org/stable/c/fe7c3a445d22783d27fe8bd0521a8aab1eb9da65"
},
{
"url": "https://git.kernel.org/stable/c/7a11d1e2625bdb2346f6586773b20b20977278ac"
},
{
"url": "https://git.kernel.org/stable/c/0d2d5282d39aed6f27dfe1ed60a5f3934ebd21cd"
},
{
"url": "https://git.kernel.org/stable/c/373e0ab8c4c516561493f1acf367c7ee7dc053c2"
},
{
"url": "https://git.kernel.org/stable/c/a6ff6e7a9dd69364547751db0f626a10a6d628d2"
}
],
"title": "usb-storage: alauda: Fix uninit-value in alauda_check_media()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53847",
"datePublished": "2025-12-09T01:30:10.344Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:10.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53846 (GCVE-0-2023-53846)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on direct node in truncate_dnode()
syzbot reports below bug:
BUG: KASAN: slab-use-after-free in f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574
Read of size 4 at addr ffff88802a25c000 by task syz-executor148/5000
CPU: 1 PID: 5000 Comm: syz-executor148 Not tainted 6.4.0-rc7-syzkaller-00041-ge660abd551f1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351
print_report mm/kasan/report.c:462 [inline]
kasan_report+0x11c/0x130 mm/kasan/report.c:572
f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574
truncate_dnode+0x229/0x2e0 fs/f2fs/node.c:944
f2fs_truncate_inode_blocks+0x64b/0xde0 fs/f2fs/node.c:1154
f2fs_do_truncate_blocks+0x4ac/0xf30 fs/f2fs/file.c:721
f2fs_truncate_blocks+0x7b/0x300 fs/f2fs/file.c:749
f2fs_truncate.part.0+0x4a5/0x630 fs/f2fs/file.c:799
f2fs_truncate include/linux/fs.h:825 [inline]
f2fs_setattr+0x1738/0x2090 fs/f2fs/file.c:1006
notify_change+0xb2c/0x1180 fs/attr.c:483
do_truncate+0x143/0x200 fs/open.c:66
handle_truncate fs/namei.c:3295 [inline]
do_open fs/namei.c:3640 [inline]
path_openat+0x2083/0x2750 fs/namei.c:3791
do_filp_open+0x1ba/0x410 fs/namei.c:3818
do_sys_openat2+0x16d/0x4c0 fs/open.c:1356
do_sys_open fs/open.c:1372 [inline]
__do_sys_creat fs/open.c:1448 [inline]
__se_sys_creat fs/open.c:1442 [inline]
__x64_sys_creat+0xcd/0x120 fs/open.c:1442
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The root cause is, inodeA references inodeB via inodeB's ino, once inodeA
is truncated, it calls truncate_dnode() to truncate data blocks in inodeB's
node page, it traverse mapping data from node->i.i_addr[0] to
node->i.i_addr[ADDRS_PER_BLOCK() - 1], result in out-of-boundary access.
This patch fixes to add sanity check on dnode page in truncate_dnode(),
so that, it can help to avoid triggering such issue, and once it encounters
such issue, it will record newly introduced ERROR_INVALID_NODE_REFERENCE
error into superblock, later fsck can detect such issue and try repairing.
Also, it removes f2fs_truncate_data_blocks() for cleanup due to the
function has only one caller, and uses f2fs_truncate_data_blocks_range()
instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/f2fs.h",
"fs/f2fs/file.c",
"fs/f2fs/node.c",
"include/linux/f2fs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af0f716ad3b039cab9d426da63a5ee6c88751185",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a6ec83786ab9f13f25fb18166dee908845713a95",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/f2fs.h",
"fs/f2fs/file.c",
"fs/f2fs/node.c",
"include/linux/f2fs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on direct node in truncate_dnode()\n\nsyzbot reports below bug:\n\nBUG: KASAN: slab-use-after-free in f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574\nRead of size 4 at addr ffff88802a25c000 by task syz-executor148/5000\n\nCPU: 1 PID: 5000 Comm: syz-executor148 Not tainted 6.4.0-rc7-syzkaller-00041-ge660abd551f1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351\n print_report mm/kasan/report.c:462 [inline]\n kasan_report+0x11c/0x130 mm/kasan/report.c:572\n f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574\n truncate_dnode+0x229/0x2e0 fs/f2fs/node.c:944\n f2fs_truncate_inode_blocks+0x64b/0xde0 fs/f2fs/node.c:1154\n f2fs_do_truncate_blocks+0x4ac/0xf30 fs/f2fs/file.c:721\n f2fs_truncate_blocks+0x7b/0x300 fs/f2fs/file.c:749\n f2fs_truncate.part.0+0x4a5/0x630 fs/f2fs/file.c:799\n f2fs_truncate include/linux/fs.h:825 [inline]\n f2fs_setattr+0x1738/0x2090 fs/f2fs/file.c:1006\n notify_change+0xb2c/0x1180 fs/attr.c:483\n do_truncate+0x143/0x200 fs/open.c:66\n handle_truncate fs/namei.c:3295 [inline]\n do_open fs/namei.c:3640 [inline]\n path_openat+0x2083/0x2750 fs/namei.c:3791\n do_filp_open+0x1ba/0x410 fs/namei.c:3818\n do_sys_openat2+0x16d/0x4c0 fs/open.c:1356\n do_sys_open fs/open.c:1372 [inline]\n __do_sys_creat fs/open.c:1448 [inline]\n __se_sys_creat fs/open.c:1442 [inline]\n __x64_sys_creat+0xcd/0x120 fs/open.c:1442\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root cause is, inodeA references inodeB via inodeB\u0027s ino, once inodeA\nis truncated, it calls truncate_dnode() to truncate data blocks in inodeB\u0027s\nnode page, it traverse mapping data from node-\u003ei.i_addr[0] to\nnode-\u003ei.i_addr[ADDRS_PER_BLOCK() - 1], result in out-of-boundary access.\n\nThis patch fixes to add sanity check on dnode page in truncate_dnode(),\nso that, it can help to avoid triggering such issue, and once it encounters\nsuch issue, it will record newly introduced ERROR_INVALID_NODE_REFERENCE\nerror into superblock, later fsck can detect such issue and try repairing.\n\nAlso, it removes f2fs_truncate_data_blocks() for cleanup due to the\nfunction has only one caller, and uses f2fs_truncate_data_blocks_range()\ninstead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:09.202Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af0f716ad3b039cab9d426da63a5ee6c88751185"
},
{
"url": "https://git.kernel.org/stable/c/a6ec83786ab9f13f25fb18166dee908845713a95"
}
],
"title": "f2fs: fix to do sanity check on direct node in truncate_dnode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53846",
"datePublished": "2025-12-09T01:30:09.202Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:09.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53845 (GCVE-0-2023-53845)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix infinite loop in nilfs_mdt_get_block()
If the disk image that nilfs2 mounts is corrupted and a virtual block
address obtained by block lookup for a metadata file is invalid,
nilfs_bmap_lookup_at_level() may return the same internal return code as
-ENOENT, meaning the block does not exist in the metadata file.
This duplication of return codes confuses nilfs_mdt_get_block(), causing
it to read and create a metadata block indefinitely.
In particular, if this happens to the inode metadata file, ifile,
semaphore i_rwsem can be left held, causing task hangs in lock_mount.
Fix this issue by making nilfs_bmap_lookup_at_level() treat virtual block
address translation failures with -ENOENT as metadata corruption instead
of returning the error code.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cfb0bb4fbd40c1f06da7e9f88c0a2d46155b90c2
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d536f9976bb04e9c84cf80045a9355975e418f41 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fe1cbbcb1a2532ee1654e1ff121be8906d83c6f0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8a89d36a07afe1ed4564df51fefa2bb556c85412 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8d07d9119642ba43d21f8ba64d51d01931096b20 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 25457d07c8146e57d28906c663def033dc425af6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 34c5f17222b50c79848bb03ec8811648813e6a45 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5b29661669cb65b9750a3cf70ed3eaf947b92167 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a6a491c048882e7e424d407d32cba0b52d9ef2bf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/bmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cfb0bb4fbd40c1f06da7e9f88c0a2d46155b90c2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d536f9976bb04e9c84cf80045a9355975e418f41",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fe1cbbcb1a2532ee1654e1ff121be8906d83c6f0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8a89d36a07afe1ed4564df51fefa2bb556c85412",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8d07d9119642ba43d21f8ba64d51d01931096b20",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "25457d07c8146e57d28906c663def033dc425af6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "34c5f17222b50c79848bb03ec8811648813e6a45",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5b29661669cb65b9750a3cf70ed3eaf947b92167",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a6a491c048882e7e424d407d32cba0b52d9ef2bf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/bmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.315",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.315",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix infinite loop in nilfs_mdt_get_block()\n\nIf the disk image that nilfs2 mounts is corrupted and a virtual block\naddress obtained by block lookup for a metadata file is invalid,\nnilfs_bmap_lookup_at_level() may return the same internal return code as\n-ENOENT, meaning the block does not exist in the metadata file.\n\nThis duplication of return codes confuses nilfs_mdt_get_block(), causing\nit to read and create a metadata block indefinitely.\n\nIn particular, if this happens to the inode metadata file, ifile,\nsemaphore i_rwsem can be left held, causing task hangs in lock_mount.\n\nFix this issue by making nilfs_bmap_lookup_at_level() treat virtual block\naddress translation failures with -ENOENT as metadata corruption instead\nof returning the error code."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:08.016Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cfb0bb4fbd40c1f06da7e9f88c0a2d46155b90c2"
},
{
"url": "https://git.kernel.org/stable/c/d536f9976bb04e9c84cf80045a9355975e418f41"
},
{
"url": "https://git.kernel.org/stable/c/fe1cbbcb1a2532ee1654e1ff121be8906d83c6f0"
},
{
"url": "https://git.kernel.org/stable/c/8a89d36a07afe1ed4564df51fefa2bb556c85412"
},
{
"url": "https://git.kernel.org/stable/c/8d07d9119642ba43d21f8ba64d51d01931096b20"
},
{
"url": "https://git.kernel.org/stable/c/25457d07c8146e57d28906c663def033dc425af6"
},
{
"url": "https://git.kernel.org/stable/c/34c5f17222b50c79848bb03ec8811648813e6a45"
},
{
"url": "https://git.kernel.org/stable/c/5b29661669cb65b9750a3cf70ed3eaf947b92167"
},
{
"url": "https://git.kernel.org/stable/c/a6a491c048882e7e424d407d32cba0b52d9ef2bf"
}
],
"title": "nilfs2: fix infinite loop in nilfs_mdt_get_block()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53845",
"datePublished": "2025-12-09T01:30:08.016Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:08.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53844 (GCVE-0-2023-53844)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: Don't leak a resource on swapout move error
If moving the bo to system for swapout failed, we were leaking
a resource. Fix.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bfa3357ef9abc9d56a2910222d2deeb9f15c91ff , < af4e0ce2af8a8f0ff3b89702a1e18d8ec2c4a834
(git)
Affected: bfa3357ef9abc9d56a2910222d2deeb9f15c91ff , < f037f6038736bd038ddb9c72de979a08cc1ee3b5 (git) Affected: bfa3357ef9abc9d56a2910222d2deeb9f15c91ff , < 4a5b37ea6797d7a53e6dd004aa37e149f40199ce (git) Affected: bfa3357ef9abc9d56a2910222d2deeb9f15c91ff , < a590f03d8de7c4cb7ce4916dc7f2fd10711faabe (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af4e0ce2af8a8f0ff3b89702a1e18d8ec2c4a834",
"status": "affected",
"version": "bfa3357ef9abc9d56a2910222d2deeb9f15c91ff",
"versionType": "git"
},
{
"lessThan": "f037f6038736bd038ddb9c72de979a08cc1ee3b5",
"status": "affected",
"version": "bfa3357ef9abc9d56a2910222d2deeb9f15c91ff",
"versionType": "git"
},
{
"lessThan": "4a5b37ea6797d7a53e6dd004aa37e149f40199ce",
"status": "affected",
"version": "bfa3357ef9abc9d56a2910222d2deeb9f15c91ff",
"versionType": "git"
},
{
"lessThan": "a590f03d8de7c4cb7ce4916dc7f2fd10711faabe",
"status": "affected",
"version": "bfa3357ef9abc9d56a2910222d2deeb9f15c91ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Don\u0027t leak a resource on swapout move error\n\nIf moving the bo to system for swapout failed, we were leaking\na resource. Fix."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:06.863Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af4e0ce2af8a8f0ff3b89702a1e18d8ec2c4a834"
},
{
"url": "https://git.kernel.org/stable/c/f037f6038736bd038ddb9c72de979a08cc1ee3b5"
},
{
"url": "https://git.kernel.org/stable/c/4a5b37ea6797d7a53e6dd004aa37e149f40199ce"
},
{
"url": "https://git.kernel.org/stable/c/a590f03d8de7c4cb7ce4916dc7f2fd10711faabe"
}
],
"title": "drm/ttm: Don\u0027t leak a resource on swapout move error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53844",
"datePublished": "2025-12-09T01:30:06.863Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:06.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53843 (GCVE-0-2023-53843)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: reject negative ifindex
Recent changes in net-next (commit 759ab1edb56c ("net: store netdevs
in an xarray")) refactored the handling of pre-assigned ifindexes
and let syzbot surface a latent problem in ovs. ovs does not validate
ifindex, making it possible to create netdev ports with negative
ifindex values. It's easy to repro with YNL:
$ ./cli.py --spec netlink/specs/ovs_datapath.yaml \
--do new \
--json '{"upcall-pid": 1, "name":"my-dp"}'
$ ./cli.py --spec netlink/specs/ovs_vport.yaml \
--do new \
--json '{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}'
$ ip link show
-65536: some-port0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 7a:48:21:ad:0b:fb brd ff:ff:ff:ff:ff:ff
...
Validate the inputs. Now the second command correctly returns:
$ ./cli.py --spec netlink/specs/ovs_vport.yaml \
--do new \
--json '{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}'
lib.ynl.NlError: Netlink error: Numerical result out of range
nl_len = 108 (92) nl_flags = 0x300 nl_type = 2
error: -34 extack: {'msg': 'integer out of range', 'unknown': [[type:4 len:36] b'\x0c\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x03\x00\xff\xff\xff\x7f\x00\x00\x00\x00\x08\x00\x01\x00\x08\x00\x00\x00'], 'bad-attr': '.ifindex'}
Accept 0 since it used to be silently ignored.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
54c4ef34c4b6f9720fded620e2893894f9f2c554 , < c965a58376146dcfdda186819462e8eb3aadef3a
(git)
Affected: 54c4ef34c4b6f9720fded620e2893894f9f2c554 , < 881faff9e548a7ddfb11595be7c1c649217d27db (git) Affected: 54c4ef34c4b6f9720fded620e2893894f9f2c554 , < a552bfa16bab4ce901ee721346a28c4e483f4066 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/datapath.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c965a58376146dcfdda186819462e8eb3aadef3a",
"status": "affected",
"version": "54c4ef34c4b6f9720fded620e2893894f9f2c554",
"versionType": "git"
},
{
"lessThan": "881faff9e548a7ddfb11595be7c1c649217d27db",
"status": "affected",
"version": "54c4ef34c4b6f9720fded620e2893894f9f2c554",
"versionType": "git"
},
{
"lessThan": "a552bfa16bab4ce901ee721346a28c4e483f4066",
"status": "affected",
"version": "54c4ef34c4b6f9720fded620e2893894f9f2c554",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/datapath.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: reject negative ifindex\n\nRecent changes in net-next (commit 759ab1edb56c (\"net: store netdevs\nin an xarray\")) refactored the handling of pre-assigned ifindexes\nand let syzbot surface a latent problem in ovs. ovs does not validate\nifindex, making it possible to create netdev ports with negative\nifindex values. It\u0027s easy to repro with YNL:\n\n$ ./cli.py --spec netlink/specs/ovs_datapath.yaml \\\n --do new \\\n\t --json \u0027{\"upcall-pid\": 1, \"name\":\"my-dp\"}\u0027\n$ ./cli.py --spec netlink/specs/ovs_vport.yaml \\\n\t --do new \\\n\t --json \u0027{\"upcall-pid\": \"00000001\", \"name\": \"some-port0\", \"dp-ifindex\":3,\"ifindex\":4294901760,\"type\":2}\u0027\n\n$ ip link show\n-65536: some-port0: \u003cBROADCAST,MULTICAST\u003e mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000\n link/ether 7a:48:21:ad:0b:fb brd ff:ff:ff:ff:ff:ff\n...\n\nValidate the inputs. Now the second command correctly returns:\n\n$ ./cli.py --spec netlink/specs/ovs_vport.yaml \\\n\t --do new \\\n\t --json \u0027{\"upcall-pid\": \"00000001\", \"name\": \"some-port0\", \"dp-ifindex\":3,\"ifindex\":4294901760,\"type\":2}\u0027\n\nlib.ynl.NlError: Netlink error: Numerical result out of range\nnl_len = 108 (92) nl_flags = 0x300 nl_type = 2\n\terror: -34\textack: {\u0027msg\u0027: \u0027integer out of range\u0027, \u0027unknown\u0027: [[type:4 len:36] b\u0027\\x0c\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x03\\x00\\xff\\xff\\xff\\x7f\\x00\\x00\\x00\\x00\\x08\\x00\\x01\\x00\\x08\\x00\\x00\\x00\u0027], \u0027bad-attr\u0027: \u0027.ifindex\u0027}\n\nAccept 0 since it used to be silently ignored."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:05.698Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c965a58376146dcfdda186819462e8eb3aadef3a"
},
{
"url": "https://git.kernel.org/stable/c/881faff9e548a7ddfb11595be7c1c649217d27db"
},
{
"url": "https://git.kernel.org/stable/c/a552bfa16bab4ce901ee721346a28c4e483f4066"
}
],
"title": "net: openvswitch: reject negative ifindex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53843",
"datePublished": "2025-12-09T01:30:05.698Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:30:05.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53842 (GCVE-0-2023-53842)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove
The MBHC resources must be released on component probe failure and
removal so can not be tied to the lifetime of the component device.
This is specifically needed to allow probe deferrals of the sound card
which otherwise fails when reprobing the codec component:
snd-sc8280xp sound: ASoC: failed to instantiate card -517
genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr)
wcd938x_codec audio-codec: Failed to request mbhc interrupts -16
wcd938x_codec audio-codec: mbhc initialization failed
wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16
snd-sc8280xp sound: ASoC: failed to instantiate card -16
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0e5c9e7ff899808afa4e2b08c2e6ccc469bed681 , < 90ab6446eb522e31421b77bf8f45714f5668f9a3
(git)
Affected: 0e5c9e7ff899808afa4e2b08c2e6ccc469bed681 , < 17feff71d06c96dea1fa72451c20d411e9d5ac8f (git) Affected: 0e5c9e7ff899808afa4e2b08c2e6ccc469bed681 , < ce4059e1c0aca972446e06c09ee09a0d2ba5df54 (git) Affected: 0e5c9e7ff899808afa4e2b08c2e6ccc469bed681 , < a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wcd-mbhc-v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90ab6446eb522e31421b77bf8f45714f5668f9a3",
"status": "affected",
"version": "0e5c9e7ff899808afa4e2b08c2e6ccc469bed681",
"versionType": "git"
},
{
"lessThan": "17feff71d06c96dea1fa72451c20d411e9d5ac8f",
"status": "affected",
"version": "0e5c9e7ff899808afa4e2b08c2e6ccc469bed681",
"versionType": "git"
},
{
"lessThan": "ce4059e1c0aca972446e06c09ee09a0d2ba5df54",
"status": "affected",
"version": "0e5c9e7ff899808afa4e2b08c2e6ccc469bed681",
"versionType": "git"
},
{
"lessThan": "a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30",
"status": "affected",
"version": "0e5c9e7ff899808afa4e2b08c2e6ccc469bed681",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wcd-mbhc-v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove\n\nThe MBHC resources must be released on component probe failure and\nremoval so can not be tied to the lifetime of the component device.\n\nThis is specifically needed to allow probe deferrals of the sound card\nwhich otherwise fails when reprobing the codec component:\n\n snd-sc8280xp sound: ASoC: failed to instantiate card -517\n genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr)\n wcd938x_codec audio-codec: Failed to request mbhc interrupts -16\n wcd938x_codec audio-codec: mbhc initialization failed\n wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16\n snd-sc8280xp sound: ASoC: failed to instantiate card -16"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:04.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90ab6446eb522e31421b77bf8f45714f5668f9a3"
},
{
"url": "https://git.kernel.org/stable/c/17feff71d06c96dea1fa72451c20d411e9d5ac8f"
},
{
"url": "https://git.kernel.org/stable/c/ce4059e1c0aca972446e06c09ee09a0d2ba5df54"
},
{
"url": "https://git.kernel.org/stable/c/a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30"
}
],
"title": "ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53842",
"datePublished": "2025-12-09T01:30:04.183Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:30:04.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53841 (GCVE-0-2023-53841)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
devlink: report devlink_port_type_warn source device
devlink_port_type_warn is scheduled for port devlink and warning
when the port type is not set. But from this warning it is not easy
found out which device (driver) has no devlink port set.
[ 3709.975552] Type was not set for devlink port.
[ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20
[ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm
[ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse
[ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1
[ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022
[ 3710.108437] Workqueue: events devlink_port_type_warn
[ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20
[ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff <0f> 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87
[ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282
[ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027
[ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8
[ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18
[ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600
[ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905
[ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000
[ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0
[ 3710.108456] PKRU: 55555554
[ 3710.108457] Call Trace:
[ 3710.108458] <TASK>
[ 3710.108459] process_one_work+0x1e2/0x3b0
[ 3710.108466] ? rescuer_thread+0x390/0x390
[ 3710.108468] worker_thread+0x50/0x3a0
[ 3710.108471] ? rescuer_thread+0x390/0x390
[ 3710.108473] kthread+0xdd/0x100
[ 3710.108477] ? kthread_complete_and_exit+0x20/0x20
[ 3710.108479] ret_from_fork+0x1f/0x30
[ 3710.108485] </TASK>
[ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]---
After patch:
[ 402.473064] ice 0000:41:00.0: Type was not set for devlink port.
[ 402.473064] ice 0000:41:00.1: Type was not set for devlink port.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 970c7035f4b03c7be9f49c403ccf6fb0b70039a1
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2864cc9a1fd13666ed7fd9064dc3f2c51a85de32 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7552020e3aa8283b215ca6b3840e6f9281ee4664 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 408d40c729cbe3a918a381405df769491a472122 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 21b9e0efb38eac1fe7bed369e96980cad45aa9c7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a52305a81d6bb74b90b400dfa56455d37872fe4b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/devlink/leftover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "970c7035f4b03c7be9f49c403ccf6fb0b70039a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2864cc9a1fd13666ed7fd9064dc3f2c51a85de32",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7552020e3aa8283b215ca6b3840e6f9281ee4664",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "408d40c729cbe3a918a381405df769491a472122",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "21b9e0efb38eac1fe7bed369e96980cad45aa9c7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a52305a81d6bb74b90b400dfa56455d37872fe4b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/devlink/leftover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: report devlink_port_type_warn source device\n\ndevlink_port_type_warn is scheduled for port devlink and warning\nwhen the port type is not set. But from this warning it is not easy\nfound out which device (driver) has no devlink port set.\n\n[ 3709.975552] Type was not set for devlink port.\n[ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20\n[ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm\n[ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse\n[ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1\n[ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022\n[ 3710.108437] Workqueue: events devlink_port_type_warn\n[ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20\n[ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff \u003c0f\u003e 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87\n[ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282\n[ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027\n[ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8\n[ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18\n[ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600\n[ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905\n[ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000\n[ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0\n[ 3710.108456] PKRU: 55555554\n[ 3710.108457] Call Trace:\n[ 3710.108458] \u003cTASK\u003e\n[ 3710.108459] process_one_work+0x1e2/0x3b0\n[ 3710.108466] ? rescuer_thread+0x390/0x390\n[ 3710.108468] worker_thread+0x50/0x3a0\n[ 3710.108471] ? rescuer_thread+0x390/0x390\n[ 3710.108473] kthread+0xdd/0x100\n[ 3710.108477] ? kthread_complete_and_exit+0x20/0x20\n[ 3710.108479] ret_from_fork+0x1f/0x30\n[ 3710.108485] \u003c/TASK\u003e\n[ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]---\n\nAfter patch:\n[ 402.473064] ice 0000:41:00.0: Type was not set for devlink port.\n[ 402.473064] ice 0000:41:00.1: Type was not set for devlink port."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:58.448Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/970c7035f4b03c7be9f49c403ccf6fb0b70039a1"
},
{
"url": "https://git.kernel.org/stable/c/2864cc9a1fd13666ed7fd9064dc3f2c51a85de32"
},
{
"url": "https://git.kernel.org/stable/c/7552020e3aa8283b215ca6b3840e6f9281ee4664"
},
{
"url": "https://git.kernel.org/stable/c/408d40c729cbe3a918a381405df769491a472122"
},
{
"url": "https://git.kernel.org/stable/c/21b9e0efb38eac1fe7bed369e96980cad45aa9c7"
},
{
"url": "https://git.kernel.org/stable/c/a52305a81d6bb74b90b400dfa56455d37872fe4b"
}
],
"title": "devlink: report devlink_port_type_warn source device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53841",
"datePublished": "2025-12-09T01:29:58.448Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:29:58.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53840 (GCVE-0-2023-53840)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: early: xhci-dbc: Fix a potential out-of-bound memory access
If xdbc_bulk_write() fails, the values in 'buf' can be anything. So the
string is not guaranteed to be NULL terminated when xdbc_trace() is called.
Reserve an extra byte, which will be zeroed automatically because 'buf' is
a static variable, in order to avoid troubles, should it happen.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0 , < e8fb0f13e45cf361fd06593d3cb2d89915cd3bd0
(git)
Affected: aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0 , < 351c8d8650d1ccc006255fa01f98b6c6496a02e5 (git) Affected: aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0 , < df7c8aba7309f4dc55df94e06b67f576c0f52406 (git) Affected: aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0 , < a4a97ab3db5c081eb6e7dba91306adefb461e0bd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/early/xhci-dbc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8fb0f13e45cf361fd06593d3cb2d89915cd3bd0",
"status": "affected",
"version": "aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0",
"versionType": "git"
},
{
"lessThan": "351c8d8650d1ccc006255fa01f98b6c6496a02e5",
"status": "affected",
"version": "aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0",
"versionType": "git"
},
{
"lessThan": "df7c8aba7309f4dc55df94e06b67f576c0f52406",
"status": "affected",
"version": "aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0",
"versionType": "git"
},
{
"lessThan": "a4a97ab3db5c081eb6e7dba91306adefb461e0bd",
"status": "affected",
"version": "aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/early/xhci-dbc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: early: xhci-dbc: Fix a potential out-of-bound memory access\n\nIf xdbc_bulk_write() fails, the values in \u0027buf\u0027 can be anything. So the\nstring is not guaranteed to be NULL terminated when xdbc_trace() is called.\n\nReserve an extra byte, which will be zeroed automatically because \u0027buf\u0027 is\na static variable, in order to avoid troubles, should it happen."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:56.848Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8fb0f13e45cf361fd06593d3cb2d89915cd3bd0"
},
{
"url": "https://git.kernel.org/stable/c/351c8d8650d1ccc006255fa01f98b6c6496a02e5"
},
{
"url": "https://git.kernel.org/stable/c/df7c8aba7309f4dc55df94e06b67f576c0f52406"
},
{
"url": "https://git.kernel.org/stable/c/a4a97ab3db5c081eb6e7dba91306adefb461e0bd"
}
],
"title": "usb: early: xhci-dbc: Fix a potential out-of-bound memory access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53840",
"datePublished": "2025-12-09T01:29:56.848Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:29:56.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53839 (GCVE-0-2023-53839)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dccp: fix data-race around dp->dccps_mss_cache
dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket.
Same thing in do_dccp_getsockopt().
Add READ_ONCE()/WRITE_ONCE() annotations,
and change dccp_sendmsg() to check again dccps_mss_cache
after socket is locked.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < 162fa1e3cfb62aa780d7c40c8cccb6c2f8bef7c1
(git)
Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < 2bdc7f272b3a110a4e1fdee6c47c8d20f9b20817 (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < 67eebc7a9217f999b779d46fba5312a716f0dc1d (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < 6d701c95ee6463abcbb6da543060d6e444554135 (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < f239c9e1d98b313435481b4926e8bdd06197e4d8 (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < a6ddc1c774874dc704f96a99d015dc759627bba7 (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < d1f38d313bdfc52fb2f662e66d0c60dd1cfe2384 (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < a47e598fbd8617967e49d85c49c22f9fc642704c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/dccp/output.c",
"net/dccp/proto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "162fa1e3cfb62aa780d7c40c8cccb6c2f8bef7c1",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "2bdc7f272b3a110a4e1fdee6c47c8d20f9b20817",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "67eebc7a9217f999b779d46fba5312a716f0dc1d",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "6d701c95ee6463abcbb6da543060d6e444554135",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "f239c9e1d98b313435481b4926e8bdd06197e4d8",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "a6ddc1c774874dc704f96a99d015dc759627bba7",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "d1f38d313bdfc52fb2f662e66d0c60dd1cfe2384",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "a47e598fbd8617967e49d85c49c22f9fc642704c",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/dccp/output.c",
"net/dccp/proto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.14"
},
{
"lessThan": "2.6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.323",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp: fix data-race around dp-\u003edccps_mss_cache\n\ndccp_sendmsg() reads dp-\u003edccps_mss_cache before locking the socket.\nSame thing in do_dccp_getsockopt().\n\nAdd READ_ONCE()/WRITE_ONCE() annotations,\nand change dccp_sendmsg() to check again dccps_mss_cache\nafter socket is locked."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:55.540Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/162fa1e3cfb62aa780d7c40c8cccb6c2f8bef7c1"
},
{
"url": "https://git.kernel.org/stable/c/2bdc7f272b3a110a4e1fdee6c47c8d20f9b20817"
},
{
"url": "https://git.kernel.org/stable/c/67eebc7a9217f999b779d46fba5312a716f0dc1d"
},
{
"url": "https://git.kernel.org/stable/c/6d701c95ee6463abcbb6da543060d6e444554135"
},
{
"url": "https://git.kernel.org/stable/c/f239c9e1d98b313435481b4926e8bdd06197e4d8"
},
{
"url": "https://git.kernel.org/stable/c/a6ddc1c774874dc704f96a99d015dc759627bba7"
},
{
"url": "https://git.kernel.org/stable/c/d1f38d313bdfc52fb2f662e66d0c60dd1cfe2384"
},
{
"url": "https://git.kernel.org/stable/c/a47e598fbd8617967e49d85c49c22f9fc642704c"
}
],
"title": "dccp: fix data-race around dp-\u003edccps_mss_cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53839",
"datePublished": "2025-12-09T01:29:55.540Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:29:55.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53838 (GCVE-0-2023-53838)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: synchronize atomic write aborts
To fix a race condition between atomic write aborts, I use the inode
lock and make COW inode to be re-usable thoroughout the whole
atomic file inode lifetime.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3db1de0e582c358dd013f3703cd55b5fe4076436 , < 102b82708c1523b36d421cb8687746906069bc17
(git)
Affected: 3db1de0e582c358dd013f3703cd55b5fe4076436 , < b7724360714642099cec907f54f42e55f5325453 (git) Affected: 3db1de0e582c358dd013f3703cd55b5fe4076436 , < a46bebd502fe1a3bd1d22f64cedd93e7e7702693 (git) Affected: 6db52f1944417c2601182a591a704e2f119c5215 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/file.c",
"fs/f2fs/inode.c",
"fs/f2fs/segment.c",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "102b82708c1523b36d421cb8687746906069bc17",
"status": "affected",
"version": "3db1de0e582c358dd013f3703cd55b5fe4076436",
"versionType": "git"
},
{
"lessThan": "b7724360714642099cec907f54f42e55f5325453",
"status": "affected",
"version": "3db1de0e582c358dd013f3703cd55b5fe4076436",
"versionType": "git"
},
{
"lessThan": "a46bebd502fe1a3bd1d22f64cedd93e7e7702693",
"status": "affected",
"version": "3db1de0e582c358dd013f3703cd55b5fe4076436",
"versionType": "git"
},
{
"status": "affected",
"version": "6db52f1944417c2601182a591a704e2f119c5215",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/file.c",
"fs/f2fs/inode.c",
"fs/f2fs/segment.c",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: synchronize atomic write aborts\n\nTo fix a race condition between atomic write aborts, I use the inode\nlock and make COW inode to be re-usable thoroughout the whole\natomic file inode lifetime."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:54.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/102b82708c1523b36d421cb8687746906069bc17"
},
{
"url": "https://git.kernel.org/stable/c/b7724360714642099cec907f54f42e55f5325453"
},
{
"url": "https://git.kernel.org/stable/c/a46bebd502fe1a3bd1d22f64cedd93e7e7702693"
}
],
"title": "f2fs: synchronize atomic write aborts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53838",
"datePublished": "2025-12-09T01:29:54.419Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:29:54.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53837 (GCVE-0-2023-53837)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: fix NULL-deref on snapshot tear down
In case of early initialisation errors and on platforms that do not use
the DPU controller, the deinitilisation code can be called with the kms
pointer set to NULL.
Patchwork: https://patchwork.freedesktop.org/patch/525099/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
98659487b845c05b6bed85d881713545db674c7c , < 8f0e1ad5327a3499e7f09157cb714302a856e8a4
(git)
Affected: 98659487b845c05b6bed85d881713545db674c7c , < 16e0e6fb4511c004a5a0987d5bd75d9bcfb2b175 (git) Affected: 98659487b845c05b6bed85d881713545db674c7c , < 8eca32b5b92a0be956a8934d7eddf4f70c107927 (git) Affected: 98659487b845c05b6bed85d881713545db674c7c , < 19fe79ae816a7e3400df1eb4d27530bf9b8ae258 (git) Affected: 98659487b845c05b6bed85d881713545db674c7c , < a465353b9250802f87b97123e33a17f51277f0b1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8f0e1ad5327a3499e7f09157cb714302a856e8a4",
"status": "affected",
"version": "98659487b845c05b6bed85d881713545db674c7c",
"versionType": "git"
},
{
"lessThan": "16e0e6fb4511c004a5a0987d5bd75d9bcfb2b175",
"status": "affected",
"version": "98659487b845c05b6bed85d881713545db674c7c",
"versionType": "git"
},
{
"lessThan": "8eca32b5b92a0be956a8934d7eddf4f70c107927",
"status": "affected",
"version": "98659487b845c05b6bed85d881713545db674c7c",
"versionType": "git"
},
{
"lessThan": "19fe79ae816a7e3400df1eb4d27530bf9b8ae258",
"status": "affected",
"version": "98659487b845c05b6bed85d881713545db674c7c",
"versionType": "git"
},
{
"lessThan": "a465353b9250802f87b97123e33a17f51277f0b1",
"status": "affected",
"version": "98659487b845c05b6bed85d881713545db674c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.112",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: fix NULL-deref on snapshot tear down\n\nIn case of early initialisation errors and on platforms that do not use\nthe DPU controller, the deinitilisation code can be called with the kms\npointer set to NULL.\n\nPatchwork: https://patchwork.freedesktop.org/patch/525099/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:53.194Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8f0e1ad5327a3499e7f09157cb714302a856e8a4"
},
{
"url": "https://git.kernel.org/stable/c/16e0e6fb4511c004a5a0987d5bd75d9bcfb2b175"
},
{
"url": "https://git.kernel.org/stable/c/8eca32b5b92a0be956a8934d7eddf4f70c107927"
},
{
"url": "https://git.kernel.org/stable/c/19fe79ae816a7e3400df1eb4d27530bf9b8ae258"
},
{
"url": "https://git.kernel.org/stable/c/a465353b9250802f87b97123e33a17f51277f0b1"
}
],
"title": "drm/msm: fix NULL-deref on snapshot tear down",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53837",
"datePublished": "2025-12-09T01:29:53.194Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:29:53.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}