{"id":"CVE-2023-52447","summary":"bpf: Defer the free of inner map when necessary","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Defer the free of inner map when necessary\n\nWhen updating or deleting an inner map in map array or map htab, the map\nmay still be accessed by non-sleepable program or sleepable program.\nHowever bpf_map_fd_put_ptr() decreases the ref-counter of the inner map\ndirectly through bpf_map_put(), if the ref-counter is the last one\n(which is true for most cases), the inner map will be freed by\nops-\u003emap_free() in a kworker. But for now, most .map_free() callbacks\ndon't use synchronize_rcu() or its variants to wait for the elapse of a\nRCU grace period, so after the invocation of ops-\u003emap_free completes,\nthe bpf program which is accessing the inner map may incur\nuse-after-free problem.\n\nFix the free of inner map by invoking bpf_map_free_deferred() after both\none RCU grace period and one tasks trace RCU grace period if the inner\nmap has been removed from the outer map before. The deferment is\naccomplished by using call_rcu() or call_rcu_tasks_trace() when\nreleasing the last ref-counter of bpf map. The newly-added rcu_head\nfield in bpf_map shares the same storage space with work field to\nreduce the size of bpf_map.","modified":"2026-05-18T05:56:50.658864646Z","published":"2024-02-22T16:21:39.032Z","related":["SUSE-SU-2024:0855-1","SUSE-SU-2024:0858-1","SUSE-SU-2024:0900-1","SUSE-SU-2024:0900-2","SUSE-SU-2024:0910-1","SUSE-SU-2024:0977-1","SUSE-SU-2024:1321-1","SUSE-SU-2024:1466-1","SUSE-SU-2024:1480-1","SUSE-SU-2024:1490-1","USN-6818-2","USN-6819-2"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52447.json"},"references":[{"type":"WEB","url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"},{"type":"WEB","url":"https://git.kernel.org/stable/c/37d98fb9c3144c0fddf7f6e99aece9927ac8dce6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/62fca83303d608ad4fec3f7428c8685680bb01b0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/876673364161da50eed6b472d746ef88242b2368"},{"type":"WEB","url":"https://git.kernel.org/stable/c/90c445799fd1dc214d7c6279c144e33a35e29ef2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bfd9b20c4862f41d4590fde11d70a5eeae53dcc5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f91cd728b10c51f6d4a39957ccd56d1e802fc8ee"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52447.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52447"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bba1dc0b55ac462d24ed1228ad49800c238cd6d7"},{"fixed":"90c445799fd1dc214d7c6279c144e33a35e29ef2"},{"fixed":"37d98fb9c3144c0fddf7f6e99aece9927ac8dce6"},{"fixed":"62fca83303d608ad4fec3f7428c8685680bb01b0"},{"fixed":"f91cd728b10c51f6d4a39957ccd56d1e802fc8ee"},{"fixed":"bfd9b20c4862f41d4590fde11d70a5eeae53dcc5"},{"fixed":"876673364161da50eed6b472d746ef88242b2368"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52447.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.9.0"},{"fixed":"5.10.214"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.153"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.7.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52447.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}