CVE-2023-54107
- Source
- https://cve.org/CVERecord?id=CVE-2023-54107
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54107.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-54107
- Downstream
- Related
- Published
- 2025-12-24T13:06:31.505Z
- Modified
- 2026-02-04T02:55:17.196938Z
- Summary
- blk-cgroup: dropping parent refcount after pd_free_fn() is done
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
blk-cgroup: dropping parent refcount after pdfreefn() is done
Some cgroup policies will access parent pd through child pd even after pdofflinefn() is done. If pdfreefn() for parent is called before child, then UAF can be triggered. Hence it's better to guarantee the order of pdfreefn().
Currently refcount of parent blkg is dropped in _blkgrelease(), which is before pdfreefn() is called in blkgfreeworkfn() while blkgfreeworkfn() is called asynchronously.
This patch make sure pdfreefn() called from removing cgroup is ordered by delaying dropping parent refcount after calling pdfreefn() for child.
BTW, pdfreefn() will also be called from blkcgdeactivatepolicy() from deleting device, and following patches will guarantee the order.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54107.json" }- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd578c770c85233af592e54537f93f3831bde7e9aFixedc7241babf0855d8a6180cd1743ff0ec34de40b4e
Affected versions
v5.*
v6.*
Database specific
vanir_signatures
[
{
"target": {
"file": "block/blk-cgroup.c",
"function": "__blkg_release"
},
"id": "CVE-2023-54107-17bfe414",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7241babf0855d8a6180cd1743ff0ec34de40b4e",
"digest": {
"length": 283.0,
"function_hash": "67172724618575465487732848208919025467"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function"
},
{
"target": {
"file": "block/blk-cgroup.c",
"function": "blkg_free_workfn"
},
"id": "CVE-2023-54107-7011e94f",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7241babf0855d8a6180cd1743ff0ec34de40b4e",
"digest": {
"length": 397.0,
"function_hash": "200186883369170518240738153774639123029"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function"
},
{
"target": {
"file": "block/blk-cgroup.c"
},
"id": "CVE-2023-54107-cb5e8d3b",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7241babf0855d8a6180cd1743ff0ec34de40b4e",
"digest": {
"threshold": 0.9,
"line_hashes": [
"4988935689754887389331331750316911996",
"98002396530071391025572883287810551177",
"141204743315839806093186370520416731629",
"139216398823198552658306909401603756299",
"292078462098062965547420795992669211509",
"175408663656895402505989086499873826232",
"132489402297869546735564834849348014670",
"293414004345354603215609366070639846000"
]
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54107.json"