CVE-2023-53441

BUG: memory leak unreferenced object 0xff110001198ef748 (size 192): comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) hex dump (first 32 bytes): 00 00 00 00 4a 19 00 00 80 ad e3 e4 fe ff c0 00 ....J........... 00 b2 d3 0c 01 00 11 ff 28 f5 8e 19 01 00 11 ff ........(....... backtrace: [<ffffffffadd28087>] __cpumapentry_alloc+0xf7/0xb00 [<ffffffffadd28d8e>] cpumapupdateelem+0x2fe/0x3d0 [<ffffffffadc6d0fd>] bpfmapupdatevalue.isra.0+0x2bd/0x520 [<ffffffffadc7349b>] mapupdateelem+0x4cb/0x720 [<ffffffffadc7d983>] __sesysbpf+0x8c3/0xb90 [<ffffffffb029cc80>] dosyscall64+0x30/0x40 [<ffffffffb0400099>] entrySYSCALL64afterhwframe+0x61/0xc6

BUG: memory leak unreferenced object 0xff110001198ef528 (size 192): comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffffadd281f0>] __cpumapentry_alloc+0x260/0xb00 [<ffffffffadd28d8e>] cpumapupdateelem+0x2fe/0x3d0 [<ffffffffadc6d0fd>] bpfmapupdatevalue.isra.0+0x2bd/0x520 [<ffffffffadc7349b>] mapupdateelem+0x4cb/0x720 [<ffffffffadc7d983>] __sesysbpf+0x8c3/0xb90 [<ffffffffb029cc80>] dosyscall64+0x30/0x40 [<ffffffffb0400099>] entrySYSCALL64afterhwframe+0x61/0xc6

BUG: memory leak unreferenced object 0xff1100010fd93d68 (size 8): comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) hex dump (first 8 bytes): 00 00 00 00 00 00 00 00 ........ backtrace: [<ffffffffade5db3e>] kvmalloc_node+0x11e/0x170 [<ffffffffadd28280>] __cpumapentryalloc+0x2f0/0xb00 [<ffffffffadd28d8e>] cpumapupdateelem+0x2fe/0x3d0 [<ffffffffadc6d0fd>] bpfmapupdatevalue.isra.0+0x2bd/0x520 [<ffffffffadc7349b>] mapupdate_elem+0x4cb/0x720 [<ffffffffadc7d983>] __sesysbpf+0x8c3/0xb90 [<ffffffffb029cc80>] dosyscall64+0x30/0x40 [<ffffffffb0400099>] entrySYSCALL64afterhwframe+0x61/0xc6

In the cpumapupdateelem flow, when kthreadstop is called before calling the threadfn of rcpu->kthread, since the KTHREADSHOULDSTOP bit of kthread has been set by kthread_stop, the threadfn of rcpu->kthread will never be executed, and rcpu->refcnt will never be 0, which will lead to the allocated rcpu, rcpu->queue and rcpu->queue->queue cannot be released.

Calling kthread_stop before executing kthread's threadfn will return -EINTR. We can complete the release of memory resources in this state.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53441.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

6710e1126934d8b4372b4d2f9ae1646cd3f151bf

Fixed

d26299f50f5ea8f0aeb5d49e659c31f64233c816

Fixed

b11a9b4f28cb6ff69ef7e69809e5f7fffeac9030

Fixed

a957ac8e0b5ffb5797382a6adbafd005a5f72851

Fixed

4369016497319a9635702da010d02af1ebb1849d

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53441.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.15.0

Fixed

5.15.121

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.40

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.4.5

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53441.json"