CVE-2026-23452 (GCVE-0-2026-23452)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-04-18 08:59
VLAI?
Title
PM: runtime: Fix a race condition related to device removal
Summary
In the Linux kernel, the following vulnerability has been resolved:
PM: runtime: Fix a race condition related to device removal
The following code in pm_runtime_work() may dereference the dev->parent
pointer after the parent device has been freed:
/* Maybe the parent is now able to suspend. */
if (parent && !parent->power.ignore_children) {
spin_unlock(&dev->power.lock);
spin_lock(&parent->power.lock);
rpm_idle(parent, RPM_ASYNC);
spin_unlock(&parent->power.lock);
spin_lock(&dev->power.lock);
}
Fix this by inserting a flush_work() call in pm_runtime_remove().
Without this patch blktest block/001 triggers the following complaint
sporadically:
BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160
Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081
Workqueue: pm pm_runtime_work
Call Trace:
<TASK>
dump_stack_lvl+0x61/0x80
print_address_description.constprop.0+0x8b/0x310
print_report+0xfd/0x1d7
kasan_report+0xd8/0x1d0
__kasan_check_byte+0x42/0x60
lock_acquire.part.0+0x38/0x230
lock_acquire+0x70/0x160
_raw_spin_lock+0x36/0x50
rpm_suspend+0xc6a/0xfe0
rpm_idle+0x578/0x770
pm_runtime_work+0xee/0x120
process_one_work+0xde3/0x1410
worker_thread+0x5eb/0xfe0
kthread+0x37b/0x480
ret_from_fork+0x6cb/0x920
ret_from_fork_asm+0x11/0x20
</TASK>
Allocated by task 4314:
kasan_save_stack+0x2a/0x50
kasan_save_track+0x18/0x40
kasan_save_alloc_info+0x3d/0x50
__kasan_kmalloc+0xa0/0xb0
__kmalloc_noprof+0x311/0x990
scsi_alloc_target+0x122/0xb60 [scsi_mod]
__scsi_scan_target+0x101/0x460 [scsi_mod]
scsi_scan_channel+0x179/0x1c0 [scsi_mod]
scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]
store_scan+0x2d2/0x390 [scsi_mod]
dev_attr_store+0x43/0x80
sysfs_kf_write+0xde/0x140
kernfs_fop_write_iter+0x3ef/0x670
vfs_write+0x506/0x1470
ksys_write+0xfd/0x230
__x64_sys_write+0x76/0xc0
x64_sys_call+0x213/0x1810
do_syscall_64+0xee/0xfc0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Freed by task 4314:
kasan_save_stack+0x2a/0x50
kasan_save_track+0x18/0x40
kasan_save_free_info+0x3f/0x50
__kasan_slab_free+0x67/0x80
kfree+0x225/0x6c0
scsi_target_dev_release+0x3d/0x60 [scsi_mod]
device_release+0xa3/0x220
kobject_cleanup+0x105/0x3a0
kobject_put+0x72/0xd0
put_device+0x17/0x20
scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]
device_release+0xa3/0x220
kobject_cleanup+0x105/0x3a0
kobject_put+0x72/0xd0
put_device+0x17/0x20
scsi_device_put+0x7f/0xc0 [scsi_mod]
sdev_store_delete+0xa5/0x120 [scsi_mod]
dev_attr_store+0x43/0x80
sysfs_kf_write+0xde/0x140
kernfs_fop_write_iter+0x3ef/0x670
vfs_write+0x506/0x1470
ksys_write+0xfd/0x230
__x64_sys_write+0x76/0xc0
x64_sys_call+0x213/0x1810
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5e928f77a09a07f9dd595bb8a489965d69a83458 , < 20f6e2e22a9c6234113812d5f300d3e952a82721
(git)
Affected: 5e928f77a09a07f9dd595bb8a489965d69a83458 , < b6dd1a562ca8ba96c8ecb247c62b73f9fa02d47e (git) Affected: 5e928f77a09a07f9dd595bb8a489965d69a83458 , < 5649b46af8b167259e8a8e4e7eb3667ce74554b5 (git) Affected: 5e928f77a09a07f9dd595bb8a489965d69a83458 , < 39f2d86f2ddde8d1beda05732f30c7cd945e0b5a (git) Affected: 5e928f77a09a07f9dd595bb8a489965d69a83458 , < c6febaacfb8a0aec7d771a0e6c21cd68102d5679 (git) Affected: 5e928f77a09a07f9dd595bb8a489965d69a83458 , < bb081fd37f8312651140d7429557258afe51693d (git) Affected: 5e928f77a09a07f9dd595bb8a489965d69a83458 , < cf65a77c0f9531eb6cfb97cc040974d2d8fff043 (git) Affected: 5e928f77a09a07f9dd595bb8a489965d69a83458 , < 29ab768277617452d88c0607c9299cdc63b6e9ff (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/power/runtime.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20f6e2e22a9c6234113812d5f300d3e952a82721",
"status": "affected",
"version": "5e928f77a09a07f9dd595bb8a489965d69a83458",
"versionType": "git"
},
{
"lessThan": "b6dd1a562ca8ba96c8ecb247c62b73f9fa02d47e",
"status": "affected",
"version": "5e928f77a09a07f9dd595bb8a489965d69a83458",
"versionType": "git"
},
{
"lessThan": "5649b46af8b167259e8a8e4e7eb3667ce74554b5",
"status": "affected",
"version": "5e928f77a09a07f9dd595bb8a489965d69a83458",
"versionType": "git"
},
{
"lessThan": "39f2d86f2ddde8d1beda05732f30c7cd945e0b5a",
"status": "affected",
"version": "5e928f77a09a07f9dd595bb8a489965d69a83458",
"versionType": "git"
},
{
"lessThan": "c6febaacfb8a0aec7d771a0e6c21cd68102d5679",
"status": "affected",
"version": "5e928f77a09a07f9dd595bb8a489965d69a83458",
"versionType": "git"
},
{
"lessThan": "bb081fd37f8312651140d7429557258afe51693d",
"status": "affected",
"version": "5e928f77a09a07f9dd595bb8a489965d69a83458",
"versionType": "git"
},
{
"lessThan": "cf65a77c0f9531eb6cfb97cc040974d2d8fff043",
"status": "affected",
"version": "5e928f77a09a07f9dd595bb8a489965d69a83458",
"versionType": "git"
},
{
"lessThan": "29ab768277617452d88c0607c9299cdc63b6e9ff",
"status": "affected",
"version": "5e928f77a09a07f9dd595bb8a489965d69a83458",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/power/runtime.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: runtime: Fix a race condition related to device removal\n\nThe following code in pm_runtime_work() may dereference the dev-\u003eparent\npointer after the parent device has been freed:\n\n\t/* Maybe the parent is now able to suspend. */\n\tif (parent \u0026\u0026 !parent-\u003epower.ignore_children) {\n\t\tspin_unlock(\u0026dev-\u003epower.lock);\n\n\t\tspin_lock(\u0026parent-\u003epower.lock);\n\t\trpm_idle(parent, RPM_ASYNC);\n\t\tspin_unlock(\u0026parent-\u003epower.lock);\n\n\t\tspin_lock(\u0026dev-\u003epower.lock);\n\t}\n\nFix this by inserting a flush_work() call in pm_runtime_remove().\n\nWithout this patch blktest block/001 triggers the following complaint\nsporadically:\n\nBUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160\nRead of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081\nWorkqueue: pm pm_runtime_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x61/0x80\n print_address_description.constprop.0+0x8b/0x310\n print_report+0xfd/0x1d7\n kasan_report+0xd8/0x1d0\n __kasan_check_byte+0x42/0x60\n lock_acquire.part.0+0x38/0x230\n lock_acquire+0x70/0x160\n _raw_spin_lock+0x36/0x50\n rpm_suspend+0xc6a/0xfe0\n rpm_idle+0x578/0x770\n pm_runtime_work+0xee/0x120\n process_one_work+0xde3/0x1410\n worker_thread+0x5eb/0xfe0\n kthread+0x37b/0x480\n ret_from_fork+0x6cb/0x920\n ret_from_fork_asm+0x11/0x20\n \u003c/TASK\u003e\n\nAllocated by task 4314:\n kasan_save_stack+0x2a/0x50\n kasan_save_track+0x18/0x40\n kasan_save_alloc_info+0x3d/0x50\n __kasan_kmalloc+0xa0/0xb0\n __kmalloc_noprof+0x311/0x990\n scsi_alloc_target+0x122/0xb60 [scsi_mod]\n __scsi_scan_target+0x101/0x460 [scsi_mod]\n scsi_scan_channel+0x179/0x1c0 [scsi_mod]\n scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]\n store_scan+0x2d2/0x390 [scsi_mod]\n dev_attr_store+0x43/0x80\n sysfs_kf_write+0xde/0x140\n kernfs_fop_write_iter+0x3ef/0x670\n vfs_write+0x506/0x1470\n ksys_write+0xfd/0x230\n __x64_sys_write+0x76/0xc0\n x64_sys_call+0x213/0x1810\n do_syscall_64+0xee/0xfc0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nFreed by task 4314:\n kasan_save_stack+0x2a/0x50\n kasan_save_track+0x18/0x40\n kasan_save_free_info+0x3f/0x50\n __kasan_slab_free+0x67/0x80\n kfree+0x225/0x6c0\n scsi_target_dev_release+0x3d/0x60 [scsi_mod]\n device_release+0xa3/0x220\n kobject_cleanup+0x105/0x3a0\n kobject_put+0x72/0xd0\n put_device+0x17/0x20\n scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]\n device_release+0xa3/0x220\n kobject_cleanup+0x105/0x3a0\n kobject_put+0x72/0xd0\n put_device+0x17/0x20\n scsi_device_put+0x7f/0xc0 [scsi_mod]\n sdev_store_delete+0xa5/0x120 [scsi_mod]\n dev_attr_store+0x43/0x80\n sysfs_kf_write+0xde/0x140\n kernfs_fop_write_iter+0x3ef/0x670\n vfs_write+0x506/0x1470\n ksys_write+0xfd/0x230\n __x64_sys_write+0x76/0xc0\n x64_sys_call+0x213/0x1810"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T08:59:00.873Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20f6e2e22a9c6234113812d5f300d3e952a82721"
},
{
"url": "https://git.kernel.org/stable/c/b6dd1a562ca8ba96c8ecb247c62b73f9fa02d47e"
},
{
"url": "https://git.kernel.org/stable/c/5649b46af8b167259e8a8e4e7eb3667ce74554b5"
},
{
"url": "https://git.kernel.org/stable/c/39f2d86f2ddde8d1beda05732f30c7cd945e0b5a"
},
{
"url": "https://git.kernel.org/stable/c/c6febaacfb8a0aec7d771a0e6c21cd68102d5679"
},
{
"url": "https://git.kernel.org/stable/c/bb081fd37f8312651140d7429557258afe51693d"
},
{
"url": "https://git.kernel.org/stable/c/cf65a77c0f9531eb6cfb97cc040974d2d8fff043"
},
{
"url": "https://git.kernel.org/stable/c/29ab768277617452d88c0607c9299cdc63b6e9ff"
}
],
"title": "PM: runtime: Fix a race condition related to device removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23452",
"datePublished": "2026-04-03T15:15:34.680Z",
"dateReserved": "2026-01-13T15:37:46.020Z",
"dateUpdated": "2026-04-18T08:59:00.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-23452",
"date": "2026-05-08",
"epss": "0.00035",
"percentile": "0.10326"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-23452\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-03T16:16:31.617\",\"lastModified\":\"2026-04-18T09:16:27.643\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nPM: runtime: Fix a race condition related to device removal\\n\\nThe following code in pm_runtime_work() may dereference the dev-\u003eparent\\npointer after the parent device has been freed:\\n\\n\\t/* Maybe the parent is now able to suspend. */\\n\\tif (parent \u0026\u0026 !parent-\u003epower.ignore_children) {\\n\\t\\tspin_unlock(\u0026dev-\u003epower.lock);\\n\\n\\t\\tspin_lock(\u0026parent-\u003epower.lock);\\n\\t\\trpm_idle(parent, RPM_ASYNC);\\n\\t\\tspin_unlock(\u0026parent-\u003epower.lock);\\n\\n\\t\\tspin_lock(\u0026dev-\u003epower.lock);\\n\\t}\\n\\nFix this by inserting a flush_work() call in pm_runtime_remove().\\n\\nWithout this patch blktest block/001 triggers the following complaint\\nsporadically:\\n\\nBUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160\\nRead of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081\\nWorkqueue: pm pm_runtime_work\\nCall Trace:\\n \u003cTASK\u003e\\n dump_stack_lvl+0x61/0x80\\n print_address_description.constprop.0+0x8b/0x310\\n print_report+0xfd/0x1d7\\n kasan_report+0xd8/0x1d0\\n __kasan_check_byte+0x42/0x60\\n lock_acquire.part.0+0x38/0x230\\n lock_acquire+0x70/0x160\\n _raw_spin_lock+0x36/0x50\\n rpm_suspend+0xc6a/0xfe0\\n rpm_idle+0x578/0x770\\n pm_runtime_work+0xee/0x120\\n process_one_work+0xde3/0x1410\\n worker_thread+0x5eb/0xfe0\\n kthread+0x37b/0x480\\n ret_from_fork+0x6cb/0x920\\n ret_from_fork_asm+0x11/0x20\\n \u003c/TASK\u003e\\n\\nAllocated by task 4314:\\n kasan_save_stack+0x2a/0x50\\n kasan_save_track+0x18/0x40\\n kasan_save_alloc_info+0x3d/0x50\\n __kasan_kmalloc+0xa0/0xb0\\n __kmalloc_noprof+0x311/0x990\\n scsi_alloc_target+0x122/0xb60 [scsi_mod]\\n __scsi_scan_target+0x101/0x460 [scsi_mod]\\n scsi_scan_channel+0x179/0x1c0 [scsi_mod]\\n scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]\\n store_scan+0x2d2/0x390 [scsi_mod]\\n dev_attr_store+0x43/0x80\\n sysfs_kf_write+0xde/0x140\\n kernfs_fop_write_iter+0x3ef/0x670\\n vfs_write+0x506/0x1470\\n ksys_write+0xfd/0x230\\n __x64_sys_write+0x76/0xc0\\n x64_sys_call+0x213/0x1810\\n do_syscall_64+0xee/0xfc0\\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\\n\\nFreed by task 4314:\\n kasan_save_stack+0x2a/0x50\\n kasan_save_track+0x18/0x40\\n kasan_save_free_info+0x3f/0x50\\n __kasan_slab_free+0x67/0x80\\n kfree+0x225/0x6c0\\n scsi_target_dev_release+0x3d/0x60 [scsi_mod]\\n device_release+0xa3/0x220\\n kobject_cleanup+0x105/0x3a0\\n kobject_put+0x72/0xd0\\n put_device+0x17/0x20\\n scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]\\n device_release+0xa3/0x220\\n kobject_cleanup+0x105/0x3a0\\n kobject_put+0x72/0xd0\\n put_device+0x17/0x20\\n scsi_device_put+0x7f/0xc0 [scsi_mod]\\n sdev_store_delete+0xa5/0x120 [scsi_mod]\\n dev_attr_store+0x43/0x80\\n sysfs_kf_write+0xde/0x140\\n kernfs_fop_write_iter+0x3ef/0x670\\n vfs_write+0x506/0x1470\\n ksys_write+0xfd/0x230\\n __x64_sys_write+0x76/0xc0\\n x64_sys_call+0x213/0x1810\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/20f6e2e22a9c6234113812d5f300d3e952a82721\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/29ab768277617452d88c0607c9299cdc63b6e9ff\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/39f2d86f2ddde8d1beda05732f30c7cd945e0b5a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5649b46af8b167259e8a8e4e7eb3667ce74554b5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b6dd1a562ca8ba96c8ecb247c62b73f9fa02d47e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bb081fd37f8312651140d7429557258afe51693d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c6febaacfb8a0aec7d771a0e6c21cd68102d5679\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cf65a77c0f9531eb6cfb97cc040974d2d8fff043\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…