CVE-2023-53795

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.3.0-rc1-syzkaller

Description The Linux kernel contained a flaw in the iommufd subsystem where IOMMUFD DESTROY incorrectly increased the reference count. This created a race condition when combined with iommufd object destroy user(), potentially leading to spurious failures. The issue stemmed from elevating the reference count without holding the destroy rwsem, violating the assumption that temporary reference count elevations are protected by this semaphore. The resolution involves removing the reference count increment on the IOMMUFD DESTROY path and utilizing the xa lock to serialize operations, ensuring the reference count check and xa erase are performed within a single critical region. While this change may result in EBUSY errors if userspace operations race with destroy operations, this racing condition was already considered dangerous.

Recommendations Update to a newer version of the Linux kernel that resolves this issue.