2426105 – (CVE-2023-54227) CVE-2023-54227 kernel: blk-mq: fix tags leak when shrink nr_hw_queues

Bug 2426105 (CVE-2023-54227) - CVE-2023-54227 kernel: blk-mq: fix tags leak when shrink nr_hw_queues

Summary: CVE-2023-54227 kernel: blk-mq: fix tags leak when shrink nr_hw_queues

Keywords:
Status:	NEW
Alias:	CVE-2023-54227
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-30 13:09 UTC by OSIDB Bzimport
Modified:	2026-02-23 21:11 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-30 13:09:18 UTC

In the Linux kernel, the following vulnerability has been resolved:

blk-mq: fix tags leak when shrink nr_hw_queues

Although we don't need to realloc set->tags[] when shrink nr_hw_queues,
we need to free them. Or these tags will be leaked.

How to reproduce:
1. mount -t configfs configfs /mnt
2. modprobe null_blk nr_devices=0 submit_queues=8
3. mkdir /mnt/nullb/nullb0
4. echo 1 > /mnt/nullb/nullb0/power
5. echo 4 > /mnt/nullb/nullb0/submit_queues
6. rmdir /mnt/nullb/nullb0

In step 4, will alloc 9 tags (8 submit queues and 1 poll queue), then
in step 5, new_nr_hw_queues = 5 (4 submit queues and 1 poll queue).
At last in step 6, only these 5 tags are freed, the other 4 tags leaked.

Comment 1 Alexander B 2025-12-31 08:53:14 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025123029-CVE-2023-54227-5c6c@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.