CVE-2023-54193

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-54193
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54193.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-54193
Downstream
Published
2025-12-30T12:09:00.738Z
Modified
2026-04-02T09:45:40.647728Z
Summary
net/sched: cls_api: remove block_cb from driver_list before freeing
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: clsapi: remove blockcb from driver_list before freeing

Error handler of tcfblockbind() frees the whole bo->cblist on error. However, by that time the flowblockcb instances are already in the driver list because driver ndosetuptc() callback is called before that up the call chain in tcfblockoffloadcmd(). This leaves dangling pointers to freed objects in the list and causes use-after-free[0]. Fix it by also removing flowblockcb instances from driver_list before deallocating them.

[ 279.869964] BUG: KASAN: slab-use-after-free in flowblockcbsetupsimple+0x631/0x7c0 [ 279.871527] Read of size 8 at addr ffff888147e2bf20 by task tc/2963

[ 279.873151] CPU: 6 PID: 2963 Comm: tc Not tainted 6.3.0-rc6+ #4 [ 279.874273] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 279.876295] Call Trace: [ 279.876882] <TASK> [ 279.877413] dumpstacklvl+0x33/0x50 [ 279.878198] printreport+0xc2/0x610 [ 279.878987] ? flowblockcbsetupsimple+0x631/0x7c0 [ 279.879994] kasanreport+0xae/0xe0 [ 279.880750] ? flowblockcbsetupsimple+0x631/0x7c0 [ 279.881744] ? mlx5etcreoffloadflowswork+0x240/0x240 [mlx5core] [ 279.883047] flowblockcbsetupsimple+0x631/0x7c0 [ 279.884027] tcfblockoffloadcmd.isra.0+0x189/0x2d0 [ 279.885037] ? tcfblocksetup+0x6b0/0x6b0 [ 279.885901] ? mutex_lock+0x7d/0xd0 [ 279.886669] ? __mutexunlockslowpath.constprop.0+0x2d0/0x2d0 [ 279.887844] ? ingressinit+0x1c0/0x1c0 [schingress] [ 279.888846] tcfblockgetext+0x61c/0x1200 [ 279.889711] ingressinit+0x112/0x1c0 [schingress] [ 279.890682] ? clsactinit+0x2b0/0x2b0 [schingress] [ 279.891701] qdisccreate+0x401/0xea0 [ 279.892485] ? qdisctreereducebacklog+0x470/0x470 [ 279.893473] tcmodifyqdisc+0x6f7/0x16d0 [ 279.894344] ? tcgetqdisc+0xac0/0xac0 [ 279.895213] ? mutexlock+0x7d/0xd0 [ 279.896005] ? __mutexlockslowpath+0x10/0x10 [ 279.896910] rtnetlink_rcvmsg+0x5fe/0x9d0 [ 279.897770] ? rtnlcalcit.isra.0+0x2b0/0x2b0 [ 279.898672] ? __syssendmsg+0xb5/0x140 [ 279.899494] ? dosyscall64+0x3d/0x90 [ 279.900302] ? entrySYSCALL64afterhwframe+0x46/0xb0 [ 279.901337] ? kasansavestack+0x2e/0x40 [ 279.902177] ? kasansavestack+0x1e/0x40 [ 279.903058] ? kasansettrack+0x21/0x30 [ 279.903913] ? kasansavefreeinfo+0x2a/0x40 [ 279.904836] ? ____kasanslabfree+0x11a/0x1b0 [ 279.905741] ? kmemcachefree+0x179/0x400 [ 279.906599] netlinkrcvskb+0x12c/0x360 [ 279.907450] ? rtnlcalcit.isra.0+0x2b0/0x2b0 [ 279.908360] ? netlinkack+0x1550/0x1550 [ 279.909192] ? rhashtablewalkpeek+0x170/0x170 [ 279.910135] ? kmemcacheallocnode+0x1af/0x390 [ 279.911086] ? copyfromiter+0x3d6/0xc70 [ 279.912031] netlinkunicast+0x553/0x790 [ 279.912864] ? netlinkattachskb+0x6a0/0x6a0 [ 279.913763] ? netlinkrecvmsg+0x416/0xb50 [ 279.914627] netlinksendmsg+0x7a1/0xcb0 [ 279.915473] ? netlinkunicast+0x790/0x790 [ 279.916334] ? iovecfromuser.part.0+0x4d/0x220 [ 279.917293] ? netlinkunicast+0x790/0x790 [ 279.918159] sock_sendmsg+0xc5/0x190 [ 279.918938] ____syssendmsg+0x535/0x6b0 [ 279.919813] ? importiovec+0x7/0x10 [ 279.920601] ? kernel_sendmsg+0x30/0x30 [ 279.921423] ? __copymsghdr+0x3c0/0x3c0 [ 279.922254] ? importiovec+0x7/0x10 [ 279.923041] ___syssendmsg+0xeb/0x170 [ 279.923854] ? copymsghdrfromuser+0x110/0x110 [ 279.924797] ? ___sys_recvmsg+0xd9/0x130 [ 279.925630] ? __perfeventtaskschedin+0x183/0x470 [ 279.926656] ? ___syssendmsg+0x170/0x170 [ 279.927529] ? ctxschedin+0x530/0x530 [ 279.928369] ? updatecurr+0x283/0x4f0 [ 279.929185] ? perf_eventupdateuserpage+0x570/0x570 [ 279.930201] ? __fget_light+0x57/0x520 [ 279.931023] ? _switchto+0x53d/0xe70 [ 27 ---truncated---

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54193.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
59094b1e5094c7e50a3d2912202fd30b6a1dadf8
Fixed
cc5fe387c6294d0471cb7ed064efac97fac65ccc
Fixed
7311c8be3755611bf6edea4dfbeb190b4bdd489f
Fixed
cb145932fcf6814e7e95e467eb70e7849a845ae9
Fixed
55866fe3fded3ce94ac3fc1bb3dfce654282f483
Fixed
26aec72429a05e917d574eca0efc5306c63a8862
Fixed
7b7a74ed303d532fb73ae4b1697f16a0fea89cd0
Fixed
da94a7781fc3c92e7df7832bc2746f4d39bc624e

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54193.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.3.0
Fixed
5.4.243
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.180
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.112
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.29
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.2.16
Type
ECOSYSTEM
Events
Introduced
6.3.0
Fixed
6.3.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54193.json"