{"id":"CVE-2023-54195","summary":"rxrpc: Fix timeout of a call that hasn't yet been granted a channel","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix timeout of a call that hasn't yet been granted a channel\n\nafs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may\nget stalled in the background waiting for a connection to become\navailable); it then calls rxrpc_kernel_set_max_life() to set the timeouts -\nbut that starts the call timer so the call timer might then expire before\nwe get a connection assigned - leading to the following oops if the call\nstalled:\n\n\tBUG: kernel NULL pointer dereference, address: 0000000000000000\n\t...\n\tCPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701\n\tRIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157\n\t...\n\tCall Trace:\n\t \u003cTASK\u003e\n\t rxrpc_send_ACK+0x50/0x13b\n\t rxrpc_input_call_event+0x16a/0x67d\n\t rxrpc_io_thread+0x1b6/0x45f\n\t ? _raw_spin_unlock_irqrestore+0x1f/0x35\n\t ? rxrpc_input_packet+0x519/0x519\n\t kthread+0xe7/0xef\n\t ? kthread_complete_and_exit+0x1b/0x1b\n\t ret_from_fork+0x22/0x30\n\nFix this by noting the timeouts in struct rxrpc_call when the call is\ncreated.  The timer will be started when the first packet is transmitted.\n\nIt shouldn't be possible to trigger this directly from userspace through\nAF_RXRPC as sendmsg() will return EBUSY if the call is in the\nwaiting-for-conn state if it dropped out of the wait due to a signal.","modified":"2026-04-02T09:45:40.561994Z","published":"2025-12-30T12:09:02.123Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54195.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/72f4a9f3f447948cf86dffe1c4a4c8a429ab9666"},{"type":"WEB","url":"https://git.kernel.org/stable/c/92128a7170a220b5126d09a1c1954a3a8d46cef3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/db099c625b13a74d462521a46d98a8ce5b53af5d"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54195.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54195"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d"},{"fixed":"92128a7170a220b5126d09a1c1954a3a8d46cef3"},{"fixed":"72f4a9f3f447948cf86dffe1c4a4c8a429ab9666"},{"fixed":"db099c625b13a74d462521a46d98a8ce5b53af5d"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54195.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.2.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.3.0"},{"fixed":"6.3.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54195.json"}}],"schema_version":"1.7.5"}