CVE-2026-23452
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
03/04/2026
Última modificación:
03/04/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
PM: runtime: Fix a race condition related to device removal<br />
<br />
The following code in pm_runtime_work() may dereference the dev->parent<br />
pointer after the parent device has been freed:<br />
<br />
/* Maybe the parent is now able to suspend. */<br />
if (parent && !parent->power.ignore_children) {<br />
spin_unlock(&dev->power.lock);<br />
<br />
spin_lock(&parent->power.lock);<br />
rpm_idle(parent, RPM_ASYNC);<br />
spin_unlock(&parent->power.lock);<br />
<br />
spin_lock(&dev->power.lock);<br />
}<br />
<br />
Fix this by inserting a flush_work() call in pm_runtime_remove().<br />
<br />
Without this patch blktest block/001 triggers the following complaint<br />
sporadically:<br />
<br />
BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160<br />
Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081<br />
Workqueue: pm pm_runtime_work<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x61/0x80<br />
print_address_description.constprop.0+0x8b/0x310<br />
print_report+0xfd/0x1d7<br />
kasan_report+0xd8/0x1d0<br />
__kasan_check_byte+0x42/0x60<br />
lock_acquire.part.0+0x38/0x230<br />
lock_acquire+0x70/0x160<br />
_raw_spin_lock+0x36/0x50<br />
rpm_suspend+0xc6a/0xfe0<br />
rpm_idle+0x578/0x770<br />
pm_runtime_work+0xee/0x120<br />
process_one_work+0xde3/0x1410<br />
worker_thread+0x5eb/0xfe0<br />
kthread+0x37b/0x480<br />
ret_from_fork+0x6cb/0x920<br />
ret_from_fork_asm+0x11/0x20<br />
<br />
<br />
Allocated by task 4314:<br />
kasan_save_stack+0x2a/0x50<br />
kasan_save_track+0x18/0x40<br />
kasan_save_alloc_info+0x3d/0x50<br />
__kasan_kmalloc+0xa0/0xb0<br />
__kmalloc_noprof+0x311/0x990<br />
scsi_alloc_target+0x122/0xb60 [scsi_mod]<br />
__scsi_scan_target+0x101/0x460 [scsi_mod]<br />
scsi_scan_channel+0x179/0x1c0 [scsi_mod]<br />
scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]<br />
store_scan+0x2d2/0x390 [scsi_mod]<br />
dev_attr_store+0x43/0x80<br />
sysfs_kf_write+0xde/0x140<br />
kernfs_fop_write_iter+0x3ef/0x670<br />
vfs_write+0x506/0x1470<br />
ksys_write+0xfd/0x230<br />
__x64_sys_write+0x76/0xc0<br />
x64_sys_call+0x213/0x1810<br />
do_syscall_64+0xee/0xfc0<br />
entry_SYSCALL_64_after_hwframe+0x4b/0x53<br />
<br />
Freed by task 4314:<br />
kasan_save_stack+0x2a/0x50<br />
kasan_save_track+0x18/0x40<br />
kasan_save_free_info+0x3f/0x50<br />
__kasan_slab_free+0x67/0x80<br />
kfree+0x225/0x6c0<br />
scsi_target_dev_release+0x3d/0x60 [scsi_mod]<br />
device_release+0xa3/0x220<br />
kobject_cleanup+0x105/0x3a0<br />
kobject_put+0x72/0xd0<br />
put_device+0x17/0x20<br />
scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]<br />
device_release+0xa3/0x220<br />
kobject_cleanup+0x105/0x3a0<br />
kobject_put+0x72/0xd0<br />
put_device+0x17/0x20<br />
scsi_device_put+0x7f/0xc0 [scsi_mod]<br />
sdev_store_delete+0xa5/0x120 [scsi_mod]<br />
dev_attr_store+0x43/0x80<br />
sysfs_kf_write+0xde/0x140<br />
kernfs_fop_write_iter+0x3ef/0x670<br />
vfs_write+0x506/0x1470<br />
ksys_write+0xfd/0x230<br />
__x64_sys_write+0x76/0xc0<br />
x64_sys_call+0x213/0x1810
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/29ab768277617452d88c0607c9299cdc63b6e9ff
- https://git.kernel.org/stable/c/39f2d86f2ddde8d1beda05732f30c7cd945e0b5a
- https://git.kernel.org/stable/c/5649b46af8b167259e8a8e4e7eb3667ce74554b5
- https://git.kernel.org/stable/c/bb081fd37f8312651140d7429557258afe51693d
- https://git.kernel.org/stable/c/c6febaacfb8a0aec7d771a0e6c21cd68102d5679
- https://git.kernel.org/stable/c/cf65a77c0f9531eb6cfb97cc040974d2d8fff043