{"id":"CVE-2023-54107","summary":"blk-cgroup: dropping parent refcount after pd_free_fn() is done","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: dropping parent refcount after pd_free_fn() is done\n\nSome cgroup policies will access parent pd through child pd even\nafter pd_offline_fn() is done. If pd_free_fn() for parent is called\nbefore child, then UAF can be triggered. Hence it's better to guarantee\nthe order of pd_free_fn().\n\nCurrently refcount of parent blkg is dropped in __blkg_release(), which\nis before pd_free_fn() is called in blkg_free_work_fn() while\nblkg_free_work_fn() is called asynchronously.\n\nThis patch make sure pd_free_fn() called from removing cgroup is ordered\nby delaying dropping parent refcount after calling pd_free_fn() for\nchild.\n\nBTW, pd_free_fn() will also be called from blkcg_deactivate_policy()\nfrom deleting device, and following patches will guarantee the order.","modified":"2026-04-02T09:45:36.288607Z","published":"2025-12-24T13:06:31.505Z","related":["SUSE-SU-2026:0263-1","SUSE-SU-2026:0317-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54107.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/c7241babf0855d8a6180cd1743ff0ec34de40b4e"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54107.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54107"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d578c770c85233af592e54537f93f3831bde7e9a"},{"fixed":"c7241babf0855d8a6180cd1743ff0ec34de40b4e"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54107.json"}}],"schema_version":"1.7.5"}