CVE-2023-53401

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-53401
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53401.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-53401
Downstream
Related
Published
2025-09-18T13:33:41.076Z
Modified
2026-03-11T07:46:30.515375623Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()
Details

In the Linux kernel, the following vulnerability has been resolved:

mm: kmem: fix a NULL pointer dereference in objstockflush_required()

KCSAN found an issue in objstockflushrequired(): stock->cachedobjcg can be reset between the check and dereference:

================================================================== BUG: KCSAN: data-race in drainallstock / drainobjstock

write to 0xffff888237c2a2f8 of 8 bytes by task 19625 on cpu 0: drainobjstock+0x408/0x4e0 mm/memcontrol.c:3306 refillobjstock+0x9c/0x1e0 mm/memcontrol.c:3340 objcgroupuncharge+0xe/0x10 mm/memcontrol.c:3408 memcgslabfree_hook mm/slab.h:587 [inline] __cache_free mm/slab.c:3373 [inline] __dokmemcachefree mm/slab.c:3577 [inline] kmemcache_free+0x105/0x280 mm/slab.c:3602 __dfree fs/dcache.c:298 [inline] dentryfree fs/dcache.c:375 [inline] __dentrykill+0x422/0x4a0 fs/dcache.c:621 dentrykill+0x8d/0x1e0 dput+0x118/0x1f0 fs/dcache.c:913 __fput+0x3bf/0x570 fs/file_table.c:329 ____fput+0x15/0x20 fs/filetable.c:349 taskworkrun+0x123/0x160 kernel/taskwork.c:179 resumeusermodework include/linux/resumeusermode.h:49 [inline] exittousermodeloop+0xcf/0xe0 kernel/entry/common.c:171 exittousermode_prepare+0x6a/0xa0 kernel/entry/common.c:203 _syscallexittousermodework kernel/entry/common.c:285 [inline] syscallexittousermode+0x26/0x140 kernel/entry/common.c:296 dosyscall64+0x4d/0xc0 arch/x86/entry/common.c:86 entrySYSCALL64afterhwframe+0x63/0xcd

read to 0xffff888237c2a2f8 of 8 bytes by task 19632 on cpu 1: objstockflushrequired mm/memcontrol.c:3319 [inline] drainallstock+0x174/0x2a0 mm/memcontrol.c:2361 trychargememcg+0x6d0/0xd10 mm/memcontrol.c:2703 trycharge mm/memcontrol.c:2837 [inline] memcgroupchargeskmem+0x51/0x140 mm/memcontrol.c:7290 sockreservememory+0xb1/0x390 net/core/sock.c:1025 sksetsockopt+0x800/0x1e70 net/core/sock.c:1525 udplibsetsockopt+0x99/0x6c0 net/ipv4/udp.c:2692 udpsetsockopt+0x73/0xa0 net/ipv4/udp.c:2817 sockcommon_setsockopt+0x61/0x70 net/core/sock.c:3668 __sys_setsockopt+0x1c3/0x230 net/socket.c:2271 __dosyssetsockopt net/socket.c:2282 [inline] __sesyssetsockopt net/socket.c:2279 [inline] __x64syssetsockopt+0x66/0x80 net/socket.c:2279 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x41/0xc0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

value changed: 0xffff8881382d52c0 -> 0xffff888138893740

Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 19632 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller-00387-g534293368afa #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023

Fix it by using READONCE()/WRITEONCE() for all accesses to stock->cached_objcg.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53401.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bf4f059954dcb221384b2f784677e19a13cd4bdb
Fixed
33d9490b27e5d8da4444aefd714a4f50189db978
Fixed
33391c7e1a2ad612bf3922cc168cb09a46bbe236
Fixed
3b8abb3239530c423c0b97e42af7f7e856e1ee96

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53401.json"