github - ghsa-h5mg-vw9m-f6v8

GHSA-H5MG-VW9M-F6V8

Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-09 18:30

Details

In the Linux kernel, the following vulnerability has been resolved:

block/rq_qos: protect rq_qos apis with a new lock

commit 50e34d78815e ("block: disable the elevator int del_gendisk") move rq_qos_exit() from disk_release() to del_gendisk(), this will introduce some problems:

1) If rq_qos_add() is triggered by enabling iocost/iolatency through cgroupfs, then it can concurrent with del_gendisk(), it's not safe to write 'q->rq_qos' concurrently.

2) Activate cgroup policy that is relied on rq_qos will call rq_qos_add() and blkcg_activate_policy(), and if rq_qos_exit() is called in the middle, null-ptr-dereference will be triggered in blkcg_activate_policy().

3) blkg_conf_open_bdev() can call blkdev_get_no_open() first to find the disk, then if rq_qos_exit() from del_gendisk() is done before rq_qos_add(), then memory will be leaked.

This patch add a new disk level mutex 'rq_qos_mutex':

1) The lock will protect rq_qos_exit() directly.

2) For wbt that doesn't relied on blk-cgroup, rq_qos_add() can only be called from disk initialization for now because wbt can't be destructed until rq_qos_exit(), so it's safe not to protect wbt for now. Hoever, in case that rq_qos dynamically destruction is supported in the furture, this patch also protect rq_qos_add() from wbt_init() directly, this is enough because blk-sysfs already synchronize writers with disk removal.

3) For iocost and iolatency, in order to synchronize disk removal and cgroup configuration, the lock is held after blkdev_get_no_open() from blkg_conf_open_bdev(), and is released in blkg_conf_exit(). In order to fix the above memory leak, disk_live() is checked after holding the new lock.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-53823"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T16:17:21Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock/rq_qos: protect rq_qos apis with a new lock\n\ncommit 50e34d78815e (\"block: disable the elevator int del_gendisk\")\nmove rq_qos_exit() from disk_release() to del_gendisk(), this will\nintroduce some problems:\n\n1) If rq_qos_add() is triggered by enabling iocost/iolatency through\n   cgroupfs, then it can concurrent with del_gendisk(), it\u0027s not safe to\n   write \u0027q-\u003erq_qos\u0027 concurrently.\n\n2) Activate cgroup policy that is relied on rq_qos will call\n   rq_qos_add() and blkcg_activate_policy(), and if rq_qos_exit() is\n   called in the middle, null-ptr-dereference will be triggered in\n   blkcg_activate_policy().\n\n3) blkg_conf_open_bdev() can call blkdev_get_no_open() first to find the\n   disk, then if rq_qos_exit() from del_gendisk() is done before\n   rq_qos_add(), then memory will be leaked.\n\nThis patch add a new disk level mutex \u0027rq_qos_mutex\u0027:\n\n1) The lock will protect rq_qos_exit() directly.\n\n2) For wbt that doesn\u0027t relied on blk-cgroup, rq_qos_add() can only be\n   called from disk initialization for now because wbt can\u0027t be\n   destructed until rq_qos_exit(), so it\u0027s safe not to protect wbt for\n   now. Hoever, in case that rq_qos dynamically destruction is supported\n   in the furture, this patch also protect rq_qos_add() from wbt_init()\n   directly, this is enough because blk-sysfs already synchronize\n   writers with disk removal.\n\n3) For iocost and iolatency, in order to synchronize disk removal and\n   cgroup configuration, the lock is held after blkdev_get_no_open()\n   from blkg_conf_open_bdev(), and is released in blkg_conf_exit().\n   In order to fix the above memory leak, disk_live() is checked after\n   holding the new lock.",
  "id": "GHSA-h5mg-vw9m-f6v8",
  "modified": "2025-12-09T18:30:32Z",
  "published": "2025-12-09T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53823"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/16398b4638b5cd8c1dc95fc940a1591a801d53ce"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a13bd91be22318768d55470cbc0b0f4488ef9edf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2023-53823 (GCVE-0-2023-53823)

Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29

Title

block/rq_qos: protect rq_qos apis with a new lock

Summary

In the Linux kernel, the following vulnerability has been resolved: block/rq_qos: protect rq_qos apis with a new lock commit 50e34d78815e ("block: disable the elevator int del_gendisk") move rq_qos_exit() from disk_release() to del_gendisk(), this will introduce some problems: 1) If rq_qos_add() is triggered by enabling iocost/iolatency through cgroupfs, then it can concurrent with del_gendisk(), it's not safe to write 'q->rq_qos' concurrently. 2) Activate cgroup policy that is relied on rq_qos will call rq_qos_add() and blkcg_activate_policy(), and if rq_qos_exit() is called in the middle, null-ptr-dereference will be triggered in blkcg_activate_policy(). 3) blkg_conf_open_bdev() can call blkdev_get_no_open() first to find the disk, then if rq_qos_exit() from del_gendisk() is done before rq_qos_add(), then memory will be leaked. This patch add a new disk level mutex 'rq_qos_mutex': 1) The lock will protect rq_qos_exit() directly. 2) For wbt that doesn't relied on blk-cgroup, rq_qos_add() can only be called from disk initialization for now because wbt can't be destructed until rq_qos_exit(), so it's safe not to protect wbt for now. Hoever, in case that rq_qos dynamically destruction is supported in the furture, this patch also protect rq_qos_add() from wbt_init() directly, this is enough because blk-sysfs already synchronize writers with disk removal. 3) For iocost and iolatency, in order to synchronize disk removal and cgroup configuration, the lock is held after blkdev_get_no_open() from blkg_conf_open_bdev(), and is released in blkg_conf_exit(). In order to fix the above memory leak, disk_live() is checked after holding the new lock.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/16398b4638b5cd8c1…
	https://git.kernel.org/stable/c/a13bd91be22318768…

Impacted products

Vendor

Product

Version

Linux

Affected: 50e34d78815e474d410f342fbe783b18192ca518 , < 16398b4638b5cd8c1dc95fc940a1591a801d53ce (git)
Affected: 50e34d78815e474d410f342fbe783b18192ca518 , < a13bd91be22318768d55470cbc0b0f4488ef9edf (git)
Affected: f28699fafc047ec33299da01e928c3a0073c5cc6 (git)

Linux

Affected: 5.19
Unaffected: 0 , < 5.19 (semver)
Unaffected: 6.4.4 , ≤ 6.4.* (semver)
Unaffected: 6.5 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/blk-cgroup.c",
            "block/blk-core.c",
            "block/blk-rq-qos.c",
            "block/blk-wbt.c",
            "include/linux/blkdev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "16398b4638b5cd8c1dc95fc940a1591a801d53ce",
              "status": "affected",
              "version": "50e34d78815e474d410f342fbe783b18192ca518",
              "versionType": "git"
            },
            {
              "lessThan": "a13bd91be22318768d55470cbc0b0f4488ef9edf",
              "status": "affected",
              "version": "50e34d78815e474d410f342fbe783b18192ca518",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f28699fafc047ec33299da01e928c3a0073c5cc6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/blk-cgroup.c",
            "block/blk-core.c",
            "block/blk-rq-qos.c",
            "block/blk-wbt.c",
            "include/linux/blkdev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.4",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.18.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock/rq_qos: protect rq_qos apis with a new lock\n\ncommit 50e34d78815e (\"block: disable the elevator int del_gendisk\")\nmove rq_qos_exit() from disk_release() to del_gendisk(), this will\nintroduce some problems:\n\n1) If rq_qos_add() is triggered by enabling iocost/iolatency through\n   cgroupfs, then it can concurrent with del_gendisk(), it\u0027s not safe to\n   write \u0027q-\u003erq_qos\u0027 concurrently.\n\n2) Activate cgroup policy that is relied on rq_qos will call\n   rq_qos_add() and blkcg_activate_policy(), and if rq_qos_exit() is\n   called in the middle, null-ptr-dereference will be triggered in\n   blkcg_activate_policy().\n\n3) blkg_conf_open_bdev() can call blkdev_get_no_open() first to find the\n   disk, then if rq_qos_exit() from del_gendisk() is done before\n   rq_qos_add(), then memory will be leaked.\n\nThis patch add a new disk level mutex \u0027rq_qos_mutex\u0027:\n\n1) The lock will protect rq_qos_exit() directly.\n\n2) For wbt that doesn\u0027t relied on blk-cgroup, rq_qos_add() can only be\n   called from disk initialization for now because wbt can\u0027t be\n   destructed until rq_qos_exit(), so it\u0027s safe not to protect wbt for\n   now. Hoever, in case that rq_qos dynamically destruction is supported\n   in the furture, this patch also protect rq_qos_add() from wbt_init()\n   directly, this is enough because blk-sysfs already synchronize\n   writers with disk removal.\n\n3) For iocost and iolatency, in order to synchronize disk removal and\n   cgroup configuration, the lock is held after blkdev_get_no_open()\n   from blkg_conf_open_bdev(), and is released in blkg_conf_exit().\n   In order to fix the above memory leak, disk_live() is checked after\n   holding the new lock."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T01:29:36.343Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/16398b4638b5cd8c1dc95fc940a1591a801d53ce"
        },
        {
          "url": "https://git.kernel.org/stable/c/a13bd91be22318768d55470cbc0b0f4488ef9edf"
        }
      ],
      "title": "block/rq_qos: protect rq_qos apis with a new lock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53823",
    "datePublished": "2025-12-09T01:29:36.343Z",
    "dateReserved": "2025-12-09T01:27:17.824Z",
    "dateUpdated": "2025-12-09T01:29:36.343Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-H5MG-VW9M-F6V8

CVE-2023-53823 (GCVE-0-2023-53823)

Tags

Sightings

Nomenclature