{
  "threat_severity" : "Low",
  "public_date" : "2025-12-09T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: bpf: bpf_sk_storage: Fix invalid wait context lockdep report",
    "id" : "2420362",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2420362"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-413",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf: bpf_sk_storage: Fix invalid wait context lockdep report\n'./test_progs -t test_local_storage' reported a splat:\n[   27.137569] =============================\n[   27.138122] [ BUG: Invalid wait context ]\n[   27.138650] 6.5.0-03980-gd11ae1b16b0a #247 Tainted: G           O\n[   27.139542] -----------------------------\n[   27.140106] test_progs/1729 is trying to lock:\n[   27.140713] ffff8883ef047b88 (stock_lock){-.-.}-{3:3}, at: local_lock_acquire+0x9/0x130\n[   27.141834] other info that might help us debug this:\n[   27.142437] context-{5:5}\n[   27.142856] 2 locks held by test_progs/1729:\n[   27.143352]  #0: ffffffff84bcd9c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x4/0x40\n[   27.144492]  #1: ffff888107deb2c0 (&storage->lock){..-.}-{2:2}, at: bpf_local_storage_update+0x39e/0x8e0\n[   27.145855] stack backtrace:\n[   27.146274] CPU: 0 PID: 1729 Comm: test_progs Tainted: G           O       6.5.0-03980-gd11ae1b16b0a #247\n[   27.147550] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[   27.149127] Call Trace:\n[   27.149490]  <TASK>\n[   27.149867]  dump_stack_lvl+0x130/0x1d0\n[   27.152609]  dump_stack+0x14/0x20\n[   27.153131]  __lock_acquire+0x1657/0x2220\n[   27.153677]  lock_acquire+0x1b8/0x510\n[   27.157908]  local_lock_acquire+0x29/0x130\n[   27.159048]  obj_cgroup_charge+0xf4/0x3c0\n[   27.160794]  slab_pre_alloc_hook+0x28e/0x2b0\n[   27.161931]  __kmem_cache_alloc_node+0x51/0x210\n[   27.163557]  __kmalloc+0xaa/0x210\n[   27.164593]  bpf_map_kzalloc+0xbc/0x170\n[   27.165147]  bpf_selem_alloc+0x130/0x510\n[   27.166295]  bpf_local_storage_update+0x5aa/0x8e0\n[   27.167042]  bpf_fd_sk_storage_update_elem+0xdb/0x1a0\n[   27.169199]  bpf_map_update_value+0x415/0x4f0\n[   27.169871]  map_update_elem+0x413/0x550\n[   27.170330]  __sys_bpf+0x5e9/0x640\n[   27.174065]  __x64_sys_bpf+0x80/0x90\n[   27.174568]  do_syscall_64+0x48/0xa0\n[   27.175201]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[   27.175932] RIP: 0033:0x7effb40e41ad\n[   27.176357] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d8\n[   27.179028] RSP: 002b:00007ffe64c21fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000141\n[   27.180088] RAX: ffffffffffffffda RBX: 00007ffe64c22768 RCX: 00007effb40e41ad\n[   27.181082] RDX: 0000000000000020 RSI: 00007ffe64c22008 RDI: 0000000000000002\n[   27.182030] RBP: 00007ffe64c21ff0 R08: 0000000000000000 R09: 00007ffe64c22788\n[   27.183038] R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000000\n[   27.184006] R13: 00007ffe64c22788 R14: 00007effb42a1000 R15: 0000000000000000\n[   27.184958]  </TASK>\nIt complains about acquiring a local_lock while holding a raw_spin_lock.\nIt means it should not allocate memory while holding a raw_spin_lock\nsince it is not safe for RT.\nraw_spin_lock is needed because bpf_local_storage supports tracing\ncontext. In particular for task local storage, it is easy to\nget a \"current\" task PTR_TO_BTF_ID in tracing bpf prog.\nHowever, task (and cgroup) local storage has already been moved to\nbpf mem allocator which can be used after raw_spin_lock.\nThe splat is for the sk storage. For sk (and inode) storage,\nit has not been moved to bpf mem allocator. Using raw_spin_lock or not,\nkzalloc(GFP_ATOMIC) could theoretically be unsafe in tracing context.\nHowever, the local storage helper requires a verifier accepted\nsk pointer (PTR_TO_BTF_ID), it is hypothetical if that (mean running\na bpf prog in a kzalloc unsafe context and also able to hold a verifier\naccepted sk pointer) could happen.\nThis patch avoids kzalloc after raw_spin_lock to silent the splat.\nThere is an existing kzalloc before the raw_spin_lock. At that point,\na kzalloc is very likely required because a lookup has just been done\nbefore. Thus, this patch always does the kzalloc before acq\n---truncated---", "A locking context violation was found in the BPF socket local storage implementation in the Linux kernel. The code attempts to allocate memory (via kzalloc) while holding a raw_spin_lock, which is unsafe for PREEMPT_RT kernels. This can cause lockdep warnings and potential issues on real-time kernels where sleeping with raw spinlocks held is not permitted." ],
  "statement" : "This is a locking context issue in BPF socket local storage that primarily affects PREEMPT_RT kernels. The impact is limited as it mainly causes lockdep warnings and affects only systems with specific BPF program configurations.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53857\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53857\nhttps://lore.kernel.org/linux-cve-announce/2025120903-CVE-2023-53857-5513@gregkh/T" ],
  "name" : "CVE-2023-53857",
  "csaw" : false
}