CVE-2023-53445
- Source
- https://cve.org/CVERecord?id=CVE-2023-53445
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53445.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-53445
- Downstream
- Published
- 2025-09-18T16:04:21.257Z
- Modified
- 2026-04-02T09:44:14.148346Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- net: qrtr: Fix a refcount bug in qrtr_recvmsg()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: qrtr: Fix a refcount bug in qrtr_recvmsg()
Syzbot reported a bug as following:
refcountt: addition on 0; use-after-free. ... RIP: 0010:refcountwarn_saturate+0x17c/0x1f0 lib/refcount.c:25 ... Call Trace: <TASK> __refcount_add include/linux/refcount.h:199 [inline] _refcountinc include/linux/refcount.h:250 [inline] refcountinc include/linux/refcount.h:267 [inline] krefget include/linux/kref.h:45 [inline] qrtrnodeacquire net/qrtr/afqrtr.c:202 [inline] qrtrnodelookup net/qrtr/afqrtr.c:398 [inline] qrtrsendresumetx net/qrtr/afqrtr.c:1003 [inline] qrtrrecvmsg+0x85f/0x990 net/qrtr/afqrtr.c:1070 sockrecvmsgnosec net/socket.c:1017 [inline] sockrecvmsg+0xe2/0x160 net/socket.c:1038 qrtrnsworker+0x170/0x1700 net/qrtr/ns.c:688 processonework+0x991/0x15c0 kernel/workqueue.c:2390 workerthread+0x669/0x1090 kernel/workqueue.c:2537
It occurs in the concurrent scenario of qrtrrecvmsg() and qrtrendpoint_unregister() as following:
cpu0 cpu1qrtrrecvmsg qrtrendpointunregister qrtrsendresumetx qrtrnoderelease qrtrnodelookup mutexlock(&qrtrnodelock) spinlockirqsave(&qrtrnodeslock, ) refcountdecandtest(&node->ref) [node->ref == 0] radixtreelookup [node != NULL] __qrtrnoderelease qrtrnodeacquire spinlockirqsave(&qrtrnodeslock, ) krefget(&node->ref) [WARNING] ... mutexunlock(&qrtrnodelock)
Use qrtrnodelock to protect qrtrnodelookup() implementation, this is actually improving the protection of node reference.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53445.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/44d807320000db0d0013372ad39b53e12d52f758
- https://git.kernel.org/stable/c/48a07f6e00d305597396da4d7494b81cec05b9d3
- https://git.kernel.org/stable/c/98a9cd82c541ef6cbdb829cd6c05cbbb471e373c
- https://git.kernel.org/stable/c/aa95efa187b4114075f312b3c4680d050b56fdec
- https://git.kernel.org/stable/c/b9ba5906c42089f8e1d0001b7b50a7940f086cbb
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53445.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-53445
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0a7e0d0ef05440db03c3199e84d228db943b237fFixed98a9cd82c541ef6cbdb829cd6c05cbbb471e373cFixedb9ba5906c42089f8e1d0001b7b50a7940f086cbbFixedaa95efa187b4114075f312b3c4680d050b56fdecFixed48a07f6e00d305597396da4d7494b81cec05b9d3Fixed44d807320000db0d0013372ad39b53e12d52f758