{
  "threat_severity" : "Moderate",
  "public_date" : "2025-03-27T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net/sched: sch_taprio: fix possible use-after-free",
    "id" : "2355484",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2355484"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: sch_taprio: fix possible use-after-free\nsyzbot reported a nasty crash [1] in net_tx_action() which\nmade little sense until we got a repro.\nThis repro installs a taprio qdisc, but providing an\ninvalid TCA_RATE attribute.\nqdisc_create() has to destroy the just initialized\ntaprio qdisc, and taprio_destroy() is called.\nHowever, the hrtimer used by taprio had already fired,\ntherefore advance_sched() called __netif_schedule().\nThen net_tx_action was trying to use a destroyed qdisc.\nWe can not undo the __netif_schedule(), so we must wait\nuntil one cpu serviced the qdisc before we can proceed.\nMany thanks to Alexander Potapenko for his help.\n[1]\nBUG: KMSAN: uninit-value in queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]\nBUG: KMSAN: uninit-value in do_raw_spin_trylock include/linux/spinlock.h:191 [inline]\nBUG: KMSAN: uninit-value in __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]\nBUG: KMSAN: uninit-value in _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138\nqueued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]\ndo_raw_spin_trylock include/linux/spinlock.h:191 [inline]\n__raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]\n_raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138\nspin_trylock include/linux/spinlock.h:359 [inline]\nqdisc_run_begin include/net/sch_generic.h:187 [inline]\nqdisc_run+0xee/0x540 include/net/pkt_sched.h:125\nnet_tx_action+0x77c/0x9a0 net/core/dev.c:5086\n__do_softirq+0x1cc/0x7fb kernel/softirq.c:571\nrun_ksoftirqd+0x2c/0x50 kernel/softirq.c:934\nsmpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164\nkthread+0x31b/0x430 kernel/kthread.c:376\nret_from_fork+0x1f/0x30\nUninit was created at:\nslab_post_alloc_hook mm/slab.h:732 [inline]\nslab_alloc_node mm/slub.c:3258 [inline]\n__kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970\nkmalloc_reserve net/core/skbuff.c:358 [inline]\n__alloc_skb+0x346/0xcf0 net/core/skbuff.c:430\nalloc_skb include/linux/skbuff.h:1257 [inline]\nnlmsg_new include/net/netlink.h:953 [inline]\nnetlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436\nnetlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507\nrtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108\nnetlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\nnetlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345\nnetlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921\nsock_sendmsg_nosec net/socket.c:714 [inline]\nsock_sendmsg net/socket.c:734 [inline]\n____sys_sendmsg+0xabc/0xe90 net/socket.c:2482\n___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536\n__sys_sendmsg net/socket.c:2565 [inline]\n__do_sys_sendmsg net/socket.c:2574 [inline]\n__se_sys_sendmsg net/socket.c:2572 [inline]\n__x64_sys_sendmsg+0x367/0x540 net/socket.c:2572\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7077",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.5.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53021\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53021\nhttps://lore.kernel.org/linux-cve-announce/2025032718-CVE-2023-53021-def9@gregkh/T" ],
  "name" : "CVE-2023-53021",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}