Bug 2425208 (CVE-2023-54107) - CVE-2023-54107 kernel: Linux kernel blk-cgroup: Use-after-free vulnerability leading to denial of service
Summary: CVE-2023-54107 kernel: Linux kernel blk-cgroup: Use-after-free vulnerability ...
Keywords:
Status: NEW
Alias: CVE-2023-54107
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-24 14:10 UTC by OSIDB Bzimport
Modified: 2026-02-17 01:36 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-24 14:10:54 UTC 
In the Linux kernel, the following vulnerability has been resolved:

blk-cgroup: dropping parent refcount after pd_free_fn() is done

Some cgroup policies will access parent pd through child pd even
after pd_offline_fn() is done. If pd_free_fn() for parent is called
before child, then UAF can be triggered. Hence it's better to guarantee
the order of pd_free_fn().

Currently refcount of parent blkg is dropped in __blkg_release(), which
is before pd_free_fn() is called in blkg_free_work_fn() while
blkg_free_work_fn() is called asynchronously.

This patch make sure pd_free_fn() called from removing cgroup is ordered
by delaying dropping parent refcount after calling pd_free_fn() for
child.

BTW, pd_free_fn() will also be called from blkcg_deactivate_policy()
from deleting device, and following patches will guarantee the order.
Comment 1 Alexander B 2025-12-24 18:37:47 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025122412-CVE-2023-54107-12ef@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.