{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-54193","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-30T12:06:44.498Z","datePublished":"2025-12-30T12:09:00.738Z","dateUpdated":"2026-05-11T19:57:16.091Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:57:16.091Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_api: remove block_cb from driver_list before freeing\n\nError handler of tcf_block_bind() frees the whole bo->cb_list on error.\nHowever, by that time the flow_block_cb instances are already in the driver\nlist because driver ndo_setup_tc() callback is called before that up the\ncall chain in tcf_block_offload_cmd(). This leaves dangling pointers to\nfreed objects in the list and causes use-after-free[0]. Fix it by also\nremoving flow_block_cb instances from driver_list before deallocating them.\n\n[0]:\n[  279.868433] ==================================================================\n[  279.869964] BUG: KASAN: slab-use-after-free in flow_block_cb_setup_simple+0x631/0x7c0\n[  279.871527] Read of size 8 at addr ffff888147e2bf20 by task tc/2963\n\n[  279.873151] CPU: 6 PID: 2963 Comm: tc Not tainted 6.3.0-rc6+ #4\n[  279.874273] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[  279.876295] Call Trace:\n[  279.876882]  <TASK>\n[  279.877413]  dump_stack_lvl+0x33/0x50\n[  279.878198]  print_report+0xc2/0x610\n[  279.878987]  ? flow_block_cb_setup_simple+0x631/0x7c0\n[  279.879994]  kasan_report+0xae/0xe0\n[  279.880750]  ? flow_block_cb_setup_simple+0x631/0x7c0\n[  279.881744]  ? mlx5e_tc_reoffload_flows_work+0x240/0x240 [mlx5_core]\n[  279.883047]  flow_block_cb_setup_simple+0x631/0x7c0\n[  279.884027]  tcf_block_offload_cmd.isra.0+0x189/0x2d0\n[  279.885037]  ? tcf_block_setup+0x6b0/0x6b0\n[  279.885901]  ? mutex_lock+0x7d/0xd0\n[  279.886669]  ? __mutex_unlock_slowpath.constprop.0+0x2d0/0x2d0\n[  279.887844]  ? ingress_init+0x1c0/0x1c0 [sch_ingress]\n[  279.888846]  tcf_block_get_ext+0x61c/0x1200\n[  279.889711]  ingress_init+0x112/0x1c0 [sch_ingress]\n[  279.890682]  ? clsact_init+0x2b0/0x2b0 [sch_ingress]\n[  279.891701]  qdisc_create+0x401/0xea0\n[  279.892485]  ? qdisc_tree_reduce_backlog+0x470/0x470\n[  279.893473]  tc_modify_qdisc+0x6f7/0x16d0\n[  279.894344]  ? tc_get_qdisc+0xac0/0xac0\n[  279.895213]  ? mutex_lock+0x7d/0xd0\n[  279.896005]  ? __mutex_lock_slowpath+0x10/0x10\n[  279.896910]  rtnetlink_rcv_msg+0x5fe/0x9d0\n[  279.897770]  ? rtnl_calcit.isra.0+0x2b0/0x2b0\n[  279.898672]  ? __sys_sendmsg+0xb5/0x140\n[  279.899494]  ? do_syscall_64+0x3d/0x90\n[  279.900302]  ? entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[  279.901337]  ? kasan_save_stack+0x2e/0x40\n[  279.902177]  ? kasan_save_stack+0x1e/0x40\n[  279.903058]  ? kasan_set_track+0x21/0x30\n[  279.903913]  ? kasan_save_free_info+0x2a/0x40\n[  279.904836]  ? ____kasan_slab_free+0x11a/0x1b0\n[  279.905741]  ? kmem_cache_free+0x179/0x400\n[  279.906599]  netlink_rcv_skb+0x12c/0x360\n[  279.907450]  ? rtnl_calcit.isra.0+0x2b0/0x2b0\n[  279.908360]  ? netlink_ack+0x1550/0x1550\n[  279.909192]  ? rhashtable_walk_peek+0x170/0x170\n[  279.910135]  ? kmem_cache_alloc_node+0x1af/0x390\n[  279.911086]  ? _copy_from_iter+0x3d6/0xc70\n[  279.912031]  netlink_unicast+0x553/0x790\n[  279.912864]  ? netlink_attachskb+0x6a0/0x6a0\n[  279.913763]  ? netlink_recvmsg+0x416/0xb50\n[  279.914627]  netlink_sendmsg+0x7a1/0xcb0\n[  279.915473]  ? netlink_unicast+0x790/0x790\n[  279.916334]  ? iovec_from_user.part.0+0x4d/0x220\n[  279.917293]  ? netlink_unicast+0x790/0x790\n[  279.918159]  sock_sendmsg+0xc5/0x190\n[  279.918938]  ____sys_sendmsg+0x535/0x6b0\n[  279.919813]  ? import_iovec+0x7/0x10\n[  279.920601]  ? kernel_sendmsg+0x30/0x30\n[  279.921423]  ? __copy_msghdr+0x3c0/0x3c0\n[  279.922254]  ? import_iovec+0x7/0x10\n[  279.923041]  ___sys_sendmsg+0xeb/0x170\n[  279.923854]  ? copy_msghdr_from_user+0x110/0x110\n[  279.924797]  ? ___sys_recvmsg+0xd9/0x130\n[  279.925630]  ? __perf_event_task_sched_in+0x183/0x470\n[  279.926656]  ? ___sys_sendmsg+0x170/0x170\n[  279.927529]  ? ctx_sched_in+0x530/0x530\n[  279.928369]  ? update_curr+0x283/0x4f0\n[  279.929185]  ? perf_event_update_userpage+0x570/0x570\n[  279.930201]  ? __fget_light+0x57/0x520\n[  279.931023]  ? __switch_to+0x53d/0xe70\n[  27\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/cls_api.c"],"versions":[{"version":"59094b1e5094c7e50a3d2912202fd30b6a1dadf8","lessThan":"cc5fe387c6294d0471cb7ed064efac97fac65ccc","status":"affected","versionType":"git"},{"version":"59094b1e5094c7e50a3d2912202fd30b6a1dadf8","lessThan":"7311c8be3755611bf6edea4dfbeb190b4bdd489f","status":"affected","versionType":"git"},{"version":"59094b1e5094c7e50a3d2912202fd30b6a1dadf8","lessThan":"cb145932fcf6814e7e95e467eb70e7849a845ae9","status":"affected","versionType":"git"},{"version":"59094b1e5094c7e50a3d2912202fd30b6a1dadf8","lessThan":"55866fe3fded3ce94ac3fc1bb3dfce654282f483","status":"affected","versionType":"git"},{"version":"59094b1e5094c7e50a3d2912202fd30b6a1dadf8","lessThan":"26aec72429a05e917d574eca0efc5306c63a8862","status":"affected","versionType":"git"},{"version":"59094b1e5094c7e50a3d2912202fd30b6a1dadf8","lessThan":"7b7a74ed303d532fb73ae4b1697f16a0fea89cd0","status":"affected","versionType":"git"},{"version":"59094b1e5094c7e50a3d2912202fd30b6a1dadf8","lessThan":"da94a7781fc3c92e7df7832bc2746f4d39bc624e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/cls_api.c"],"versions":[{"version":"5.3","status":"affected"},{"version":"0","lessThan":"5.3","status":"unaffected","versionType":"semver"},{"version":"5.4.243","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.180","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.112","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.29","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2.16","lessThanOrEqual":"6.2.*","status":"unaffected","versionType":"semver"},{"version":"6.3.3","lessThanOrEqual":"6.3.*","status":"unaffected","versionType":"semver"},{"version":"6.4","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.4.243"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.10.180"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.15.112"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.1.29"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.2.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.3.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/cc5fe387c6294d0471cb7ed064efac97fac65ccc"},{"url":"https://git.kernel.org/stable/c/7311c8be3755611bf6edea4dfbeb190b4bdd489f"},{"url":"https://git.kernel.org/stable/c/cb145932fcf6814e7e95e467eb70e7849a845ae9"},{"url":"https://git.kernel.org/stable/c/55866fe3fded3ce94ac3fc1bb3dfce654282f483"},{"url":"https://git.kernel.org/stable/c/26aec72429a05e917d574eca0efc5306c63a8862"},{"url":"https://git.kernel.org/stable/c/7b7a74ed303d532fb73ae4b1697f16a0fea89cd0"},{"url":"https://git.kernel.org/stable/c/da94a7781fc3c92e7df7832bc2746f4d39bc624e"}],"title":"net/sched: cls_api: remove block_cb from driver_list before freeing","x_generator":{"engine":"bippy-1.2.0"}}}}