CVE-2023-53186
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-53186
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53186.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-53186
- Downstream
- Published
- 2025-09-15T14:04:38Z
- Modified
- 2025-10-16T15:52:27.692944Z
- Summary
- skbuff: Fix a race between coalescing and releasing SKBs
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
skbuff: Fix a race between coalescing and releasing SKBs
Commit 1effe8ca4e34 ("skbuff: fix coalescing for page_pool fragment recycling") allowed coalescing to proceed with non page pool page and page pool page when @from is cloned, i.e.
to->pprecycle --> false from->pprecycle --> true skb_cloned(from) --> true
However, it actually requires skbcloned(@from) to hold true until coalescing finishes in this situation. If the other cloned SKB is released while the merging is in process, fromshinfo->nr_frags will be set to 0 toward the end of the function, causing the increment of frag page _refcount to be unexpectedly skipped resulting in inconsistent reference counts. Later when SKB(@to) is released, it frees the page directly even though the page pool page is still in use, leading to use-after-free or double-free errors. So it should be prohibited.
The double-free error message below prompted us to investigate: BUG: Bad page state in process swapper/1 pfn:0e0d1 page:00000000c6548b28 refcount:-1 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xe0d1 flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) raw: 000fffffc0000000 0000000000000000 ffffffff00000101 0000000000000000 raw: 0000000000000002 0000000000000000 ffffffffffffffff 0000000000000000 page dumped because: nonzero _refcount
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G E 6.2.0+ Call Trace: <IRQ> dumpstacklvl+0x32/0x50 badpage+0x69/0xf0 freepcpprepare+0x260/0x2f0 freeunrefpage+0x20/0x1c0 skbreleasedata+0x10b/0x1a0 napiconsumeskb+0x56/0x150 netrxaction+0xf0/0x350 ? _napischedule+0x79/0x90 _dosoftirq+0xc8/0x2b1 _irqexitrcu+0xb9/0xf0 commoninterrupt+0x82/0xa0 </IRQ> <TASK> asmcommoninterrupt+0x22/0x40 RIP: 0010:defaultidle+0xb/0x20
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/0646dc31ca886693274df5749cd0c8c1eaaeb5ca
- https://git.kernel.org/stable/c/5f692c992a3bb9a8018e3488098b401a4229e7ec
- https://git.kernel.org/stable/c/71850b5af92da21b4862a9bc55bda61091247d00
- https://git.kernel.org/stable/c/906a6689bb0191ad2a44131a3377006aa098af59
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced53e0961da1c7bbdabd1abebb20de403ec237ec09Fixed906a6689bb0191ad2a44131a3377006aa098af59
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced53e0961da1c7bbdabd1abebb20de403ec237ec09Fixed71850b5af92da21b4862a9bc55bda61091247d00
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced53e0961da1c7bbdabd1abebb20de403ec237ec09Fixed5f692c992a3bb9a8018e3488098b401a4229e7ec
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced53e0961da1c7bbdabd1abebb20de403ec237ec09Fixed0646dc31ca886693274df5749cd0c8c1eaaeb5ca