CVE-2023-53857 (GCVE-0-2023-53857)
Vulnerability from cvelistv5
Published
2025-12-09 01:30
Modified
2025-12-09 01:30
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: bpf_sk_storage: Fix invalid wait context lockdep report './test_progs -t test_local_storage' reported a splat: [ 27.137569] ============================= [ 27.138122] [ BUG: Invalid wait context ] [ 27.138650] 6.5.0-03980-gd11ae1b16b0a #247 Tainted: G O [ 27.139542] ----------------------------- [ 27.140106] test_progs/1729 is trying to lock: [ 27.140713] ffff8883ef047b88 (stock_lock){-.-.}-{3:3}, at: local_lock_acquire+0x9/0x130 [ 27.141834] other info that might help us debug this: [ 27.142437] context-{5:5} [ 27.142856] 2 locks held by test_progs/1729: [ 27.143352] #0: ffffffff84bcd9c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x4/0x40 [ 27.144492] #1: ffff888107deb2c0 (&storage->lock){..-.}-{2:2}, at: bpf_local_storage_update+0x39e/0x8e0 [ 27.145855] stack backtrace: [ 27.146274] CPU: 0 PID: 1729 Comm: test_progs Tainted: G O 6.5.0-03980-gd11ae1b16b0a #247 [ 27.147550] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 27.149127] Call Trace: [ 27.149490] <TASK> [ 27.149867] dump_stack_lvl+0x130/0x1d0 [ 27.152609] dump_stack+0x14/0x20 [ 27.153131] __lock_acquire+0x1657/0x2220 [ 27.153677] lock_acquire+0x1b8/0x510 [ 27.157908] local_lock_acquire+0x29/0x130 [ 27.159048] obj_cgroup_charge+0xf4/0x3c0 [ 27.160794] slab_pre_alloc_hook+0x28e/0x2b0 [ 27.161931] __kmem_cache_alloc_node+0x51/0x210 [ 27.163557] __kmalloc+0xaa/0x210 [ 27.164593] bpf_map_kzalloc+0xbc/0x170 [ 27.165147] bpf_selem_alloc+0x130/0x510 [ 27.166295] bpf_local_storage_update+0x5aa/0x8e0 [ 27.167042] bpf_fd_sk_storage_update_elem+0xdb/0x1a0 [ 27.169199] bpf_map_update_value+0x415/0x4f0 [ 27.169871] map_update_elem+0x413/0x550 [ 27.170330] __sys_bpf+0x5e9/0x640 [ 27.174065] __x64_sys_bpf+0x80/0x90 [ 27.174568] do_syscall_64+0x48/0xa0 [ 27.175201] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 27.175932] RIP: 0033:0x7effb40e41ad [ 27.176357] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d8 [ 27.179028] RSP: 002b:00007ffe64c21fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000141 [ 27.180088] RAX: ffffffffffffffda RBX: 00007ffe64c22768 RCX: 00007effb40e41ad [ 27.181082] RDX: 0000000000000020 RSI: 00007ffe64c22008 RDI: 0000000000000002 [ 27.182030] RBP: 00007ffe64c21ff0 R08: 0000000000000000 R09: 00007ffe64c22788 [ 27.183038] R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000000 [ 27.184006] R13: 00007ffe64c22788 R14: 00007effb42a1000 R15: 0000000000000000 [ 27.184958] </TASK> It complains about acquiring a local_lock while holding a raw_spin_lock. It means it should not allocate memory while holding a raw_spin_lock since it is not safe for RT. raw_spin_lock is needed because bpf_local_storage supports tracing context. In particular for task local storage, it is easy to get a "current" task PTR_TO_BTF_ID in tracing bpf prog. However, task (and cgroup) local storage has already been moved to bpf mem allocator which can be used after raw_spin_lock. The splat is for the sk storage. For sk (and inode) storage, it has not been moved to bpf mem allocator. Using raw_spin_lock or not, kzalloc(GFP_ATOMIC) could theoretically be unsafe in tracing context. However, the local storage helper requires a verifier accepted sk pointer (PTR_TO_BTF_ID), it is hypothetical if that (mean running a bpf prog in a kzalloc unsafe context and also able to hold a verifier accepted sk pointer) could happen. This patch avoids kzalloc after raw_spin_lock to silent the splat. There is an existing kzalloc before the raw_spin_lock. At that point, a kzalloc is very likely required because a lookup has just been done before. Thus, this patch always does the kzalloc before acq ---truncated---
References
Impacted products
Vendor Product Version
Linux Linux Version: b00fa38a9c1cba044a32a601b49a55a18ed719d1
Version: b00fa38a9c1cba044a32a601b49a55a18ed719d1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/bpf_local_storage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "300415caa373a07782fcbc2f8d9429bc2dc27a47",
              "status": "affected",
              "version": "b00fa38a9c1cba044a32a601b49a55a18ed719d1",
              "versionType": "git"
            },
            {
              "lessThan": "a96a44aba556c42b432929d37d60158aca21ad4c",
              "status": "affected",
              "version": "b00fa38a9c1cba044a32a601b49a55a18ed719d1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/bpf_local_storage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5.4",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: bpf_sk_storage: Fix invalid wait context lockdep report\n\n\u0027./test_progs -t test_local_storage\u0027 reported a splat:\n\n[   27.137569] =============================\n[   27.138122] [ BUG: Invalid wait context ]\n[   27.138650] 6.5.0-03980-gd11ae1b16b0a #247 Tainted: G           O\n[   27.139542] -----------------------------\n[   27.140106] test_progs/1729 is trying to lock:\n[   27.140713] ffff8883ef047b88 (stock_lock){-.-.}-{3:3}, at: local_lock_acquire+0x9/0x130\n[   27.141834] other info that might help us debug this:\n[   27.142437] context-{5:5}\n[   27.142856] 2 locks held by test_progs/1729:\n[   27.143352]  #0: ffffffff84bcd9c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x4/0x40\n[   27.144492]  #1: ffff888107deb2c0 (\u0026storage-\u003elock){..-.}-{2:2}, at: bpf_local_storage_update+0x39e/0x8e0\n[   27.145855] stack backtrace:\n[   27.146274] CPU: 0 PID: 1729 Comm: test_progs Tainted: G           O       6.5.0-03980-gd11ae1b16b0a #247\n[   27.147550] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[   27.149127] Call Trace:\n[   27.149490]  \u003cTASK\u003e\n[   27.149867]  dump_stack_lvl+0x130/0x1d0\n[   27.152609]  dump_stack+0x14/0x20\n[   27.153131]  __lock_acquire+0x1657/0x2220\n[   27.153677]  lock_acquire+0x1b8/0x510\n[   27.157908]  local_lock_acquire+0x29/0x130\n[   27.159048]  obj_cgroup_charge+0xf4/0x3c0\n[   27.160794]  slab_pre_alloc_hook+0x28e/0x2b0\n[   27.161931]  __kmem_cache_alloc_node+0x51/0x210\n[   27.163557]  __kmalloc+0xaa/0x210\n[   27.164593]  bpf_map_kzalloc+0xbc/0x170\n[   27.165147]  bpf_selem_alloc+0x130/0x510\n[   27.166295]  bpf_local_storage_update+0x5aa/0x8e0\n[   27.167042]  bpf_fd_sk_storage_update_elem+0xdb/0x1a0\n[   27.169199]  bpf_map_update_value+0x415/0x4f0\n[   27.169871]  map_update_elem+0x413/0x550\n[   27.170330]  __sys_bpf+0x5e9/0x640\n[   27.174065]  __x64_sys_bpf+0x80/0x90\n[   27.174568]  do_syscall_64+0x48/0xa0\n[   27.175201]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[   27.175932] RIP: 0033:0x7effb40e41ad\n[   27.176357] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d8\n[   27.179028] RSP: 002b:00007ffe64c21fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000141\n[   27.180088] RAX: ffffffffffffffda RBX: 00007ffe64c22768 RCX: 00007effb40e41ad\n[   27.181082] RDX: 0000000000000020 RSI: 00007ffe64c22008 RDI: 0000000000000002\n[   27.182030] RBP: 00007ffe64c21ff0 R08: 0000000000000000 R09: 00007ffe64c22788\n[   27.183038] R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000000\n[   27.184006] R13: 00007ffe64c22788 R14: 00007effb42a1000 R15: 0000000000000000\n[   27.184958]  \u003c/TASK\u003e\n\nIt complains about acquiring a local_lock while holding a raw_spin_lock.\nIt means it should not allocate memory while holding a raw_spin_lock\nsince it is not safe for RT.\n\nraw_spin_lock is needed because bpf_local_storage supports tracing\ncontext. In particular for task local storage, it is easy to\nget a \"current\" task PTR_TO_BTF_ID in tracing bpf prog.\nHowever, task (and cgroup) local storage has already been moved to\nbpf mem allocator which can be used after raw_spin_lock.\n\nThe splat is for the sk storage. For sk (and inode) storage,\nit has not been moved to bpf mem allocator. Using raw_spin_lock or not,\nkzalloc(GFP_ATOMIC) could theoretically be unsafe in tracing context.\nHowever, the local storage helper requires a verifier accepted\nsk pointer (PTR_TO_BTF_ID), it is hypothetical if that (mean running\na bpf prog in a kzalloc unsafe context and also able to hold a verifier\naccepted sk pointer) could happen.\n\nThis patch avoids kzalloc after raw_spin_lock to silent the splat.\nThere is an existing kzalloc before the raw_spin_lock. At that point,\na kzalloc is very likely required because a lookup has just been done\nbefore. Thus, this patch always does the kzalloc before acq\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T01:30:23.593Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/300415caa373a07782fcbc2f8d9429bc2dc27a47"
        },
        {
          "url": "https://git.kernel.org/stable/c/a96a44aba556c42b432929d37d60158aca21ad4c"
        }
      ],
      "title": "bpf: bpf_sk_storage: Fix invalid wait context lockdep report",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53857",
    "datePublished": "2025-12-09T01:30:23.593Z",
    "dateReserved": "2025-12-09T01:27:17.828Z",
    "dateUpdated": "2025-12-09T01:30:23.593Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-53857\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-09T16:17:26.403\",\"lastModified\":\"2025-12-09T18:37:13.640\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: bpf_sk_storage: Fix invalid wait context lockdep report\\n\\n\u0027./test_progs -t test_local_storage\u0027 reported a splat:\\n\\n[   27.137569] =============================\\n[   27.138122] [ BUG: Invalid wait context ]\\n[   27.138650] 6.5.0-03980-gd11ae1b16b0a #247 Tainted: G           O\\n[   27.139542] -----------------------------\\n[   27.140106] test_progs/1729 is trying to lock:\\n[   27.140713] ffff8883ef047b88 (stock_lock){-.-.}-{3:3}, at: local_lock_acquire+0x9/0x130\\n[   27.141834] other info that might help us debug this:\\n[   27.142437] context-{5:5}\\n[   27.142856] 2 locks held by test_progs/1729:\\n[   27.143352]  #0: ffffffff84bcd9c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x4/0x40\\n[   27.144492]  #1: ffff888107deb2c0 (\u0026storage-\u003elock){..-.}-{2:2}, at: bpf_local_storage_update+0x39e/0x8e0\\n[   27.145855] stack backtrace:\\n[   27.146274] CPU: 0 PID: 1729 Comm: test_progs Tainted: G           O       6.5.0-03980-gd11ae1b16b0a #247\\n[   27.147550] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\\n[   27.149127] Call Trace:\\n[   27.149490]  \u003cTASK\u003e\\n[   27.149867]  dump_stack_lvl+0x130/0x1d0\\n[   27.152609]  dump_stack+0x14/0x20\\n[   27.153131]  __lock_acquire+0x1657/0x2220\\n[   27.153677]  lock_acquire+0x1b8/0x510\\n[   27.157908]  local_lock_acquire+0x29/0x130\\n[   27.159048]  obj_cgroup_charge+0xf4/0x3c0\\n[   27.160794]  slab_pre_alloc_hook+0x28e/0x2b0\\n[   27.161931]  __kmem_cache_alloc_node+0x51/0x210\\n[   27.163557]  __kmalloc+0xaa/0x210\\n[   27.164593]  bpf_map_kzalloc+0xbc/0x170\\n[   27.165147]  bpf_selem_alloc+0x130/0x510\\n[   27.166295]  bpf_local_storage_update+0x5aa/0x8e0\\n[   27.167042]  bpf_fd_sk_storage_update_elem+0xdb/0x1a0\\n[   27.169199]  bpf_map_update_value+0x415/0x4f0\\n[   27.169871]  map_update_elem+0x413/0x550\\n[   27.170330]  __sys_bpf+0x5e9/0x640\\n[   27.174065]  __x64_sys_bpf+0x80/0x90\\n[   27.174568]  do_syscall_64+0x48/0xa0\\n[   27.175201]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\\n[   27.175932] RIP: 0033:0x7effb40e41ad\\n[   27.176357] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d8\\n[   27.179028] RSP: 002b:00007ffe64c21fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000141\\n[   27.180088] RAX: ffffffffffffffda RBX: 00007ffe64c22768 RCX: 00007effb40e41ad\\n[   27.181082] RDX: 0000000000000020 RSI: 00007ffe64c22008 RDI: 0000000000000002\\n[   27.182030] RBP: 00007ffe64c21ff0 R08: 0000000000000000 R09: 00007ffe64c22788\\n[   27.183038] R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000000\\n[   27.184006] R13: 00007ffe64c22788 R14: 00007effb42a1000 R15: 0000000000000000\\n[   27.184958]  \u003c/TASK\u003e\\n\\nIt complains about acquiring a local_lock while holding a raw_spin_lock.\\nIt means it should not allocate memory while holding a raw_spin_lock\\nsince it is not safe for RT.\\n\\nraw_spin_lock is needed because bpf_local_storage supports tracing\\ncontext. In particular for task local storage, it is easy to\\nget a \\\"current\\\" task PTR_TO_BTF_ID in tracing bpf prog.\\nHowever, task (and cgroup) local storage has already been moved to\\nbpf mem allocator which can be used after raw_spin_lock.\\n\\nThe splat is for the sk storage. For sk (and inode) storage,\\nit has not been moved to bpf mem allocator. Using raw_spin_lock or not,\\nkzalloc(GFP_ATOMIC) could theoretically be unsafe in tracing context.\\nHowever, the local storage helper requires a verifier accepted\\nsk pointer (PTR_TO_BTF_ID), it is hypothetical if that (mean running\\na bpf prog in a kzalloc unsafe context and also able to hold a verifier\\naccepted sk pointer) could happen.\\n\\nThis patch avoids kzalloc after raw_spin_lock to silent the splat.\\nThere is an existing kzalloc before the raw_spin_lock. At that point,\\na kzalloc is very likely required because a lookup has just been done\\nbefore. Thus, this patch always does the kzalloc before acq\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/300415caa373a07782fcbc2f8d9429bc2dc27a47\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a96a44aba556c42b432929d37d60158aca21ad4c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.