CVE-2023-53401

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-53401
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53401.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-53401
Downstream
Published
2025-09-18T14:15:43Z
Modified
2025-09-19T16:00:27Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

mm: kmem: fix a NULL pointer dereference in objstockflush_required()

KCSAN found an issue in objstockflushrequired(): stock->cachedobjcg can be reset between the check and dereference:

================================================================== BUG: KCSAN: data-race in drainallstock / drainobjstock

write to 0xffff888237c2a2f8 of 8 bytes by task 19625 on cpu 0: drainobjstock+0x408/0x4e0 mm/memcontrol.c:3306 refillobjstock+0x9c/0x1e0 mm/memcontrol.c:3340 objcgroupuncharge+0xe/0x10 mm/memcontrol.c:3408 memcgslabfreehook mm/slab.h:587 [inline] cachefree mm/slab.c:3373 [inline] _dokmemcachefree mm/slab.c:3577 [inline] kmemcachefree+0x105/0x280 mm/slab.c:3602 _dfree fs/dcache.c:298 [inline] dentryfree fs/dcache.c:375 [inline] _dentrykill+0x422/0x4a0 fs/dcache.c:621 dentrykill+0x8d/0x1e0 dput+0x118/0x1f0 fs/dcache.c:913 _fput+0x3bf/0x570 fs/filetable.c:329 fput+0x15/0x20 fs/filetable.c:349 taskworkrun+0x123/0x160 kernel/taskwork.c:179 resumeusermodework include/linux/resumeusermode.h:49 [inline] exittousermodeloop+0xcf/0xe0 kernel/entry/common.c:171 exittousermodeprepare+0x6a/0xa0 kernel/entry/common.c:203 _syscallexittousermodework kernel/entry/common.c:285 [inline] syscallexittousermode+0x26/0x140 kernel/entry/common.c:296 dosyscall64+0x4d/0xc0 arch/x86/entry/common.c:86 entrySYSCALL64after_hwframe+0x63/0xcd

read to 0xffff888237c2a2f8 of 8 bytes by task 19632 on cpu 1: objstockflushrequired mm/memcontrol.c:3319 [inline] drainallstock+0x174/0x2a0 mm/memcontrol.c:2361 trychargememcg+0x6d0/0xd10 mm/memcontrol.c:2703 trycharge mm/memcontrol.c:2837 [inline] memcgroupchargeskmem+0x51/0x140 mm/memcontrol.c:7290 sockreservememory+0xb1/0x390 net/core/sock.c:1025 sksetsockopt+0x800/0x1e70 net/core/sock.c:1525 udplibsetsockopt+0x99/0x6c0 net/ipv4/udp.c:2692 udpsetsockopt+0x73/0xa0 net/ipv4/udp.c:2817 sockcommonsetsockopt+0x61/0x70 net/core/sock.c:3668 _syssetsockopt+0x1c3/0x230 net/socket.c:2271 _dosyssetsockopt net/socket.c:2282 [inline] _sesyssetsockopt net/socket.c:2279 [inline] _x64syssetsockopt+0x66/0x80 net/socket.c:2279 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x41/0xc0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

value changed: 0xffff8881382d52c0 -> 0xffff888138893740

Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 19632 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller-00387-g534293368afa #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023

Fix it by using READONCE()/WRITEONCE() for all accesses to stock->cached_objcg.

References

Affected packages