{"id":"CVE-2023-53427","summary":"cifs: Fix warning and UAF when destroy the MR list","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix warning and UAF when destroy the MR list\n\nIf the MR allocate failed, the MR recovery work not initialized\nand list not cleared. Then will be warning and UAF when release\nthe MR:\n\n  WARNING: CPU: 4 PID: 824 at kernel/workqueue.c:3066 __flush_work.isra.0+0xf7/0x110\n  CPU: 4 PID: 824 Comm: mount.cifs Not tainted 6.1.0-rc5+ #82\n  RIP: 0010:__flush_work.isra.0+0xf7/0x110\n  Call Trace:\n   \u003cTASK\u003e\n   __cancel_work_timer+0x2ba/0x2e0\n   smbd_destroy+0x4e1/0x990\n   _smbd_get_connection+0x1cbd/0x2110\n   smbd_get_connection+0x21/0x40\n   cifs_get_tcp_session+0x8ef/0xda0\n   mount_get_conns+0x60/0x750\n   cifs_mount+0x103/0xd00\n   cifs_smb3_do_mount+0x1dd/0xcb0\n   smb3_get_tree+0x1d5/0x300\n   vfs_get_tree+0x41/0xf0\n   path_mount+0x9b3/0xdd0\n   __x64_sys_mount+0x190/0x1d0\n   do_syscall_64+0x35/0x80\n   entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\n  BUG: KASAN: use-after-free in smbd_destroy+0x4fc/0x990\n  Read of size 8 at addr ffff88810b156a08 by task mount.cifs/824\n  CPU: 4 PID: 824 Comm: mount.cifs Tainted: G        W          6.1.0-rc5+ #82\n  Call Trace:\n   dump_stack_lvl+0x34/0x44\n   print_report+0x171/0x472\n   kasan_report+0xad/0x130\n   smbd_destroy+0x4fc/0x990\n   _smbd_get_connection+0x1cbd/0x2110\n   smbd_get_connection+0x21/0x40\n   cifs_get_tcp_session+0x8ef/0xda0\n   mount_get_conns+0x60/0x750\n   cifs_mount+0x103/0xd00\n   cifs_smb3_do_mount+0x1dd/0xcb0\n   smb3_get_tree+0x1d5/0x300\n   vfs_get_tree+0x41/0xf0\n   path_mount+0x9b3/0xdd0\n   __x64_sys_mount+0x190/0x1d0\n   do_syscall_64+0x35/0x80\n   entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\n  Allocated by task 824:\n   kasan_save_stack+0x1e/0x40\n   kasan_set_track+0x21/0x30\n   __kasan_kmalloc+0x7a/0x90\n   _smbd_get_connection+0x1b6f/0x2110\n   smbd_get_connection+0x21/0x40\n   cifs_get_tcp_session+0x8ef/0xda0\n   mount_get_conns+0x60/0x750\n   cifs_mount+0x103/0xd00\n   cifs_smb3_do_mount+0x1dd/0xcb0\n   smb3_get_tree+0x1d5/0x300\n   vfs_get_tree+0x41/0xf0\n   path_mount+0x9b3/0xdd0\n   __x64_sys_mount+0x190/0x1d0\n   do_syscall_64+0x35/0x80\n   entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\n  Freed by task 824:\n   kasan_save_stack+0x1e/0x40\n   kasan_set_track+0x21/0x30\n   kasan_save_free_info+0x2a/0x40\n   ____kasan_slab_free+0x143/0x1b0\n   __kmem_cache_free+0xc8/0x330\n   _smbd_get_connection+0x1c6a/0x2110\n   smbd_get_connection+0x21/0x40\n   cifs_get_tcp_session+0x8ef/0xda0\n   mount_get_conns+0x60/0x750\n   cifs_mount+0x103/0xd00\n   cifs_smb3_do_mount+0x1dd/0xcb0\n   smb3_get_tree+0x1d5/0x300\n   vfs_get_tree+0x41/0xf0\n   path_mount+0x9b3/0xdd0\n   __x64_sys_mount+0x190/0x1d0\n   do_syscall_64+0x35/0x80\n   entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nLet's initialize the MR recovery work before MR allocate to prevent\nthe warning, remove the MRs from the list to prevent the UAF.","modified":"2026-04-02T09:44:11.338957Z","published":"2025-09-18T16:04:08.917Z","related":["SUSE-SU-2025:03614-1","SUSE-SU-2025:03615-1","SUSE-SU-2025:03628-1","SUSE-SU-2025:3716-1","SUSE-SU-2025:3761-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53427.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/275a3d2b9408fc4895e342f772cab9a89960546e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2d0c4f5f618f58eba03385363717703bee873c64"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3524d6da0fe88aee79f06be6572955d16ad76b39"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3e161c2791f8e661eed24a2c624087084d910215"},{"type":"WEB","url":"https://git.kernel.org/stable/c/41832c62a75dad530dc5a2856c92ae5459d497e5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7cbd5bdb5bd4404a5da4309521134b42c65846c0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cfd85a0922c4696d768965e686ad805a58d9d834"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53427.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53427"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c7398583340a6d82b8bb7f7f21edcde27dc6a898"},{"fixed":"275a3d2b9408fc4895e342f772cab9a89960546e"},{"fixed":"3524d6da0fe88aee79f06be6572955d16ad76b39"},{"fixed":"cfd85a0922c4696d768965e686ad805a58d9d834"},{"fixed":"7cbd5bdb5bd4404a5da4309521134b42c65846c0"},{"fixed":"41832c62a75dad530dc5a2856c92ae5459d497e5"},{"fixed":"2d0c4f5f618f58eba03385363717703bee873c64"},{"fixed":"3e161c2791f8e661eed24a2c624087084d910215"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53427.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}