{"id":"CVE-2023-53387","summary":"scsi: ufs: core: Fix device management cmd timeout flow","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix device management cmd timeout flow\n\nIn the UFS error handling flow, the host will send a device management cmd\n(NOP OUT) to the device for link recovery. If this cmd times out and\nclearing the doorbell fails, ufshcd_wait_for_dev_cmd() will do nothing and\nreturn. hba-\u003edev_cmd.complete struct is not set to NULL.\n\nWhen this happens, if cmd has been completed by device, then we will call\ncomplete() in __ufshcd_transfer_req_compl(). Because the complete struct is\nallocated on the stack, the following crash will occur:\n\n  ipanic_die+0x24/0x38 [mrdump]\n  die+0x344/0x748\n  arm64_notify_die+0x44/0x104\n  do_debug_exception+0x104/0x1e0\n  el1_dbg+0x38/0x54\n  el1_sync_handler+0x40/0x88\n  el1_sync+0x8c/0x140\n  queued_spin_lock_slowpath+0x2e4/0x3c0\n  __ufshcd_transfer_req_compl+0x3b0/0x1164\n  ufshcd_trc_handler+0x15c/0x308\n  ufshcd_host_reset_and_restore+0x54/0x260\n  ufshcd_reset_and_restore+0x28c/0x57c\n  ufshcd_err_handler+0xeb8/0x1b6c\n  process_one_work+0x288/0x964\n  worker_thread+0x4bc/0xc7c\n  kthread+0x15c/0x264\n  ret_from_fork+0x10/0x30","modified":"2026-04-11T12:46:46.313758Z","published":"2025-09-18T13:33:30.635Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53387.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/36822124f9de200cedc2f42516301b50d386a6cd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3ffd2cd644e0f1eea01339831bac4b1054e8817c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cf45493432704786a0f8294c7723ad4eeb5fff24"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53387.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53387"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f5c2976e0cb0f6236013bfb479868531b04f61d4"},{"fixed":"cf45493432704786a0f8294c7723ad4eeb5fff24"},{"fixed":"3ffd2cd644e0f1eea01339831bac4b1054e8817c"},{"fixed":"36822124f9de200cedc2f42516301b50d386a6cd"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"8841c1b02c8083e4451077a2b1f235bbfd0db105"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53387.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.19.0"},{"fixed":"6.1.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.2.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53387.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}