GHSA-M34W-8VX7-2JWW
Vulnerability from github – Published: 2025-12-24 12:30 – Updated: 2025-12-24 12:30In the Linux kernel, the following vulnerability has been resolved:
opp: Fix use-after-free in lazy_opp_tables after probe deferral
When dev_pm_opp_of_find_icc_paths() in _allocate_opp_table() returns -EPROBE_DEFER, the opp_table is freed again, to wait until all the interconnect paths are available.
However, if the OPP table is using required-opps then it may already have been added to the global lazy_opp_tables list. The error path does not remove the opp_table from the list again.
This can cause crashes later when the provider of the required-opps is added, since we will iterate over OPP tables that have already been freed. E.g.:
Unable to handle kernel NULL pointer dereference when read CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.4.0-rc3 PC is at _of_add_opp_table_v2 (include/linux/of.h:949 drivers/opp/of.c:98 drivers/opp/of.c:344 drivers/opp/of.c:404 drivers/opp/of.c:1032) -> lazy_link_required_opp_table()
Fix this by calling _of_clear_opp_table() to remove the opp_table from the list and clear other allocated resources. While at it, also add the missing mutex_destroy() calls in the error path.
{
"affected": [],
"aliases": [
"CVE-2023-54026"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-24T11:15:55Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nopp: Fix use-after-free in lazy_opp_tables after probe deferral\n\nWhen dev_pm_opp_of_find_icc_paths() in _allocate_opp_table() returns\n-EPROBE_DEFER, the opp_table is freed again, to wait until all the\ninterconnect paths are available.\n\nHowever, if the OPP table is using required-opps then it may already\nhave been added to the global lazy_opp_tables list. The error path\ndoes not remove the opp_table from the list again.\n\nThis can cause crashes later when the provider of the required-opps\nis added, since we will iterate over OPP tables that have already been\nfreed. E.g.:\n\n Unable to handle kernel NULL pointer dereference when read\n CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.4.0-rc3\n PC is at _of_add_opp_table_v2 (include/linux/of.h:949\n drivers/opp/of.c:98 drivers/opp/of.c:344 drivers/opp/of.c:404\n drivers/opp/of.c:1032) -\u003e lazy_link_required_opp_table()\n\nFix this by calling _of_clear_opp_table() to remove the opp_table from\nthe list and clear other allocated resources. While at it, also add the\nmissing mutex_destroy() calls in the error path.",
"id": "GHSA-m34w-8vx7-2jww",
"modified": "2025-12-24T12:30:28Z",
"published": "2025-12-24T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54026"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/39a0e723d3502f6dc4c603f57ebe8dc7bcc4a4bc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/76ab057de777723ec924654502d1a260ba7d7d54"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b2a2ab039bd58f51355e33d7d3fc64605d7f870d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c05e76d6b249e5254c31994eedd06dd3cc90dee0"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.