CVE-2023-53441

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-53441
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53441.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-53441
Downstream
Published
2025-09-18T16:15:48Z
Modified
2025-09-19T16:00:27Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: cpumap: Fix memory leak in cpumapupdate_elem

Syzkaller reported a memory leak as follows:

BUG: memory leak unreferenced object 0xff110001198ef748 (size 192): comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) hex dump (first 32 bytes): 00 00 00 00 4a 19 00 00 80 ad e3 e4 fe ff c0 00 ....J........... 00 b2 d3 0c 01 00 11 ff 28 f5 8e 19 01 00 11 ff ........(....... backtrace: [<ffffffffadd28087>] _cpumapentryalloc+0xf7/0xb00 [<ffffffffadd28d8e>] cpumapupdateelem+0x2fe/0x3d0 [<ffffffffadc6d0fd>] bpfmapupdatevalue.isra.0+0x2bd/0x520 [<ffffffffadc7349b>] mapupdateelem+0x4cb/0x720 [<ffffffffadc7d983>] _sesysbpf+0x8c3/0xb90 [<ffffffffb029cc80>] dosyscall64+0x30/0x40 [<ffffffffb0400099>] entrySYSCALL64after_hwframe+0x61/0xc6

BUG: memory leak unreferenced object 0xff110001198ef528 (size 192): comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffffadd281f0>] _cpumapentryalloc+0x260/0xb00 [<ffffffffadd28d8e>] cpumapupdateelem+0x2fe/0x3d0 [<ffffffffadc6d0fd>] bpfmapupdatevalue.isra.0+0x2bd/0x520 [<ffffffffadc7349b>] mapupdateelem+0x4cb/0x720 [<ffffffffadc7d983>] _sesysbpf+0x8c3/0xb90 [<ffffffffb029cc80>] dosyscall64+0x30/0x40 [<ffffffffb0400099>] entrySYSCALL64after_hwframe+0x61/0xc6

BUG: memory leak unreferenced object 0xff1100010fd93d68 (size 8): comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) hex dump (first 8 bytes): 00 00 00 00 00 00 00 00 ........ backtrace: [<ffffffffade5db3e>] kvmallocnode+0x11e/0x170 [<ffffffffadd28280>] _cpumapentryalloc+0x2f0/0xb00 [<ffffffffadd28d8e>] cpumapupdateelem+0x2fe/0x3d0 [<ffffffffadc6d0fd>] bpfmapupdatevalue.isra.0+0x2bd/0x520 [<ffffffffadc7349b>] mapupdateelem+0x4cb/0x720 [<ffffffffadc7d983>] _sesysbpf+0x8c3/0xb90 [<ffffffffb029cc80>] dosyscall64+0x30/0x40 [<ffffffffb0400099>] entrySYSCALL64afterhwframe+0x61/0xc6

In the cpumapupdateelem flow, when kthreadstop is called before calling the threadfn of rcpu->kthread, since the KTHREADSHOULDSTOP bit of kthread has been set by kthread_stop, the threadfn of rcpu->kthread will never be executed, and rcpu->refcnt will never be 0, which will lead to the allocated rcpu, rcpu->queue and rcpu->queue->queue cannot be released.

Calling kthread_stop before executing kthread's threadfn will return -EINTR. We can complete the release of memory resources in this state.

References

Affected packages