{"id":"CVE-2023-53836","summary":"bpf, sockmap: Fix skb refcnt race after locking changes","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix skb refcnt race after locking changes\n\nThere is a race where skb's from the sk_psock_backlog can be referenced\nafter userspace side has already skb_consumed() the sk_buff and its refcnt\ndropped to zer0 causing use after free.\n\nThe flow is the following:\n\n  while ((skb = skb_peek(&psock-\u003eingress_skb))\n    sk_psock_handle_Skb(psock, skb, ..., ingress)\n    if (!ingress) ...\n    sk_psock_skb_ingress\n       sk_psock_skb_ingress_enqueue(skb)\n          msg-\u003eskb = skb\n          sk_psock_queue_msg(psock, msg)\n    skb_dequeue(&psock-\u003eingress_skb)\n\nThe sk_psock_queue_msg() puts the msg on the ingress_msg queue. This is\nwhat the application reads when recvmsg() is called. An application can\nread this anytime after the msg is placed on the queue. The recvmsg hook\nwill also read msg-\u003eskb and then after user space reads the msg will call\nconsume_skb(skb) on it effectively free'ing it.\n\nBut, the race is in above where backlog queue still has a reference to\nthe skb and calls skb_dequeue(). If the skb_dequeue happens after the\nuser reads and free's the skb we have a use after free.\n\nThe !ingress case does not suffer from this problem because it uses\nsendmsg_*(sk, msg) which does not pass the sk_buff further down the\nstack.\n\nThe following splat was observed with 'test_progs -t sockmap_listen':\n\n  [ 1022.710250][ T2556] general protection fault, ...\n  [...]\n  [ 1022.712830][ T2556] Workqueue: events sk_psock_backlog\n  [ 1022.713262][ T2556] RIP: 0010:skb_dequeue+0x4c/0x80\n  [ 1022.713653][ T2556] Code: ...\n  [...]\n  [ 1022.720699][ T2556] Call Trace:\n  [ 1022.720984][ T2556]  \u003cTASK\u003e\n  [ 1022.721254][ T2556]  ? die_addr+0x32/0x80^M\n  [ 1022.721589][ T2556]  ? exc_general_protection+0x25a/0x4b0\n  [ 1022.722026][ T2556]  ? asm_exc_general_protection+0x22/0x30\n  [ 1022.722489][ T2556]  ? skb_dequeue+0x4c/0x80\n  [ 1022.722854][ T2556]  sk_psock_backlog+0x27a/0x300\n  [ 1022.723243][ T2556]  process_one_work+0x2a7/0x5b0\n  [ 1022.723633][ T2556]  worker_thread+0x4f/0x3a0\n  [ 1022.723998][ T2556]  ? __pfx_worker_thread+0x10/0x10\n  [ 1022.724386][ T2556]  kthread+0xfd/0x130\n  [ 1022.724709][ T2556]  ? __pfx_kthread+0x10/0x10\n  [ 1022.725066][ T2556]  ret_from_fork+0x2d/0x50\n  [ 1022.725409][ T2556]  ? __pfx_kthread+0x10/0x10\n  [ 1022.725799][ T2556]  ret_from_fork_asm+0x1b/0x30\n  [ 1022.726201][ T2556]  \u003c/TASK\u003e\n\nTo fix we add an skb_get() before passing the skb to be enqueued in the\nengress queue. This bumps the skb-\u003eusers refcnt so that consume_skb()\nand kfree_skb will not immediately free the sk_buff. With this we can\nbe sure the skb is still around when we do the dequeue. Then we just\nneed to decrement the refcnt or free the skb in the backlog case which\nwe do by calling kfree_skb() on the ingress case as well as the sendmsg\ncase.\n\nBefore locking change from fixes tag we had the sock locked so we\ncouldn't race with user and there was no issue here.","modified":"2026-03-31T17:29:22.873969562Z","published":"2025-12-09T01:29:52.004Z","related":["SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53836.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/65ad600b9bde68d2d28709943ab00b51ca8f0a1d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/923877254f002ae87d441382bb1096d9e773d56d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a454d84ee20baf7bd7be90721b9821f73c7d23d9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e6b5e47adb9166e732cdf7e6e034946e3f89f36d"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53836.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53836"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3"},{"fixed":"65ad600b9bde68d2d28709943ab00b51ca8f0a1d"},{"fixed":"923877254f002ae87d441382bb1096d9e773d56d"},{"fixed":"e6b5e47adb9166e732cdf7e6e034946e3f89f36d"},{"fixed":"a454d84ee20baf7bd7be90721b9821f73c7d23d9"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53836.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.13.0"},{"fixed":"5.15.189"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.54"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.5.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53836.json"}}],"schema_version":"1.7.5"}