CVE-2023-54107

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel related to the blk-cgroup subsystem. Specifically, the issue involves dropping the reference count of a parent block group (blkg) before the pd free fn() function is called for the child. This can lead to a use-after-free (UAF) condition if cgroup policies access the parent page descriptor (pd) through the child pd after pd offline fn() has been executed, but before the parent's pd free fn() is completed. The problem arises because blkg release() drops the parent blkg refcount before pd free fn() is called in blkg free work fn(), which is executed asynchronously. The fix ensures that pd free fn() called during cgroup removal is ordered by delaying the dropping of the parent refcount until after the child's pd free fn() is called. The pd free fn() function is also called when deleting a device via blkcg deactivate policy(), and subsequent patches address ordering in that scenario.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.