{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-54195", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-30T12:06:44.498Z", "datePublished": "2025-12-30T12:09:02.123Z", "dateUpdated": "2025-12-30T12:09:02.123Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-30T12:09:02.123Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix timeout of a call that hasn't yet been granted a channel\n\nafs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may\nget stalled in the background waiting for a connection to become\navailable); it then calls rxrpc_kernel_set_max_life() to set the timeouts -\nbut that starts the call timer so the call timer might then expire before\nwe get a connection assigned - leading to the following oops if the call\nstalled:\n\n\tBUG: kernel NULL pointer dereference, address: 0000000000000000\n\t...\n\tCPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701\n\tRIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157\n\t...\n\tCall Trace:\n\t <TASK>\n\t rxrpc_send_ACK+0x50/0x13b\n\t rxrpc_input_call_event+0x16a/0x67d\n\t rxrpc_io_thread+0x1b6/0x45f\n\t ? _raw_spin_unlock_irqrestore+0x1f/0x35\n\t ? rxrpc_input_packet+0x519/0x519\n\t kthread+0xe7/0xef\n\t ? kthread_complete_and_exit+0x1b/0x1b\n\t ret_from_fork+0x22/0x30\n\nFix this by noting the timeouts in struct rxrpc_call when the call is\ncreated. The timer will be started when the first packet is transmitted.\n\nIt shouldn't be possible to trigger this directly from userspace through\nAF_RXRPC as sendmsg() will return EBUSY if the call is in the\nwaiting-for-conn state if it dropped out of the wait due to a signal."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/afs/afs.h", "fs/afs/internal.h", "fs/afs/rxrpc.c", "include/net/af_rxrpc.h", "net/rxrpc/af_rxrpc.c", "net/rxrpc/ar-internal.h", "net/rxrpc/call_object.c", "net/rxrpc/sendmsg.c"], "versions": [{"version": "9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d", "lessThan": "92128a7170a220b5126d09a1c1954a3a8d46cef3", "status": "affected", "versionType": "git"}, {"version": "9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d", "lessThan": "72f4a9f3f447948cf86dffe1c4a4c8a429ab9666", "status": "affected", "versionType": "git"}, {"version": "9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d", "lessThan": "db099c625b13a74d462521a46d98a8ce5b53af5d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/afs/afs.h", "fs/afs/internal.h", "fs/afs/rxrpc.c", "include/net/af_rxrpc.h", "net/rxrpc/af_rxrpc.c", "net/rxrpc/ar-internal.h", "net/rxrpc/call_object.c", "net/rxrpc/sendmsg.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.2.16", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3.3", "lessThanOrEqual": "6.3.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.3.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/92128a7170a220b5126d09a1c1954a3a8d46cef3"}, {"url": "https://git.kernel.org/stable/c/72f4a9f3f447948cf86dffe1c4a4c8a429ab9666"}, {"url": "https://git.kernel.org/stable/c/db099c625b13a74d462521a46d98a8ce5b53af5d"}], "title": "rxrpc: Fix timeout of a call that hasn't yet been granted a channel", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix timeout of a call that hasn't yet been granted a channel\n\nafs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may\nget stalled in the background waiting for a connection to become\navailable); it then calls rxrpc_kernel_set_max_life() to set the timeouts -\nbut that starts the call timer so the call timer might then expire before\nwe get a connection assigned - leading to the following oops if the call\nstalled:\n\n\tBUG: kernel NULL pointer dereference, address: 0000000000000000\n\t...\n\tCPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701\n\tRIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157\n\t...\n\tCall Trace:\n\t <TASK>\n\t rxrpc_send_ACK+0x50/0x13b\n\t rxrpc_input_call_event+0x16a/0x67d\n\t rxrpc_io_thread+0x1b6/0x45f\n\t ? _raw_spin_unlock_irqrestore+0x1f/0x35\n\t ? rxrpc_input_packet+0x519/0x519\n\t kthread+0xe7/0xef\n\t ? kthread_complete_and_exit+0x1b/0x1b\n\t ret_from_fork+0x22/0x30\n\nFix this by noting the timeouts in struct rxrpc_call when the call is\ncreated. The timer will be started when the first packet is transmitted.\n\nIt shouldn't be possible to trigger this directly from userspace through\nAF_RXRPC as sendmsg() will return EBUSY if the call is in the\nwaiting-for-conn state if it dropped out of the wait due to a signal."}], "id": "CVE-2023-54195", "lastModified": "2025-12-30T13:16:07.547", "metrics": {}, "published": "2025-12-30T13:16:07.547", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/72f4a9f3f447948cf86dffe1c4a4c8a429ab9666"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/92128a7170a220b5126d09a1c1954a3a8d46cef3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/db099c625b13a74d462521a46d98a8ce5b53af5d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}