PM: runtime: Fix a race condition related to device removal
Summary
| CVE | CVE-2026-23452 |
|---|
| State | PUBLISHED |
|---|
| Assigner | Linux |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2026-04-03 16:16:31 UTC |
|---|
| Updated | 2026-04-03 16:16:31 UTC |
|---|
| Description | In the Linux kernel, the following vulnerability has been resolved:
PM: runtime: Fix a race condition related to device removal
The following code in pm_runtime_work() may dereference the dev->parent
pointer after the parent device has been freed:
/* Maybe the parent is now able to suspend. */
if (parent && !parent->power.ignore_children) {
spin_unlock(&dev->power.lock);
spin_lock(&parent->power.lock);
rpm_idle(parent, RPM_ASYNC);
spin_unlock(&parent->power.lock);
spin_lock(&dev->power.lock);
}
Fix this by inserting a flush_work() call in pm_runtime_remove().
Without this patch blktest block/001 triggers the following complaint
sporadically:
BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160
Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081
Workqueue: pm pm_runtime_work
Call Trace:
<TASK>
dump_stack_lvl+0x61/0x80
print_address_description.constprop.0+0x8b/0x310
print_report+0xfd/0x1d7
kasan_report+0xd8/0x1d0
__kasan_check_byte+0x42/0x60
lock_acquire.part.0+0x38/0x230
lock_acquire+0x70/0x160
_raw_spin_lock+0x36/0x50
rpm_suspend+0xc6a/0xfe0
rpm_idle+0x578/0x770
pm_runtime_work+0xee/0x120
process_one_work+0xde3/0x1410
worker_thread+0x5eb/0xfe0
kthread+0x37b/0x480
ret_from_fork+0x6cb/0x920
ret_from_fork_asm+0x11/0x20
</TASK>
Allocated by task 4314:
kasan_save_stack+0x2a/0x50
kasan_save_track+0x18/0x40
kasan_save_alloc_info+0x3d/0x50
__kasan_kmalloc+0xa0/0xb0
__kmalloc_noprof+0x311/0x990
scsi_alloc_target+0x122/0xb60 [scsi_mod]
__scsi_scan_target+0x101/0x460 [scsi_mod]
scsi_scan_channel+0x179/0x1c0 [scsi_mod]
scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]
store_scan+0x2d2/0x390 [scsi_mod]
dev_attr_store+0x43/0x80
sysfs_kf_write+0xde/0x140
kernfs_fop_write_iter+0x3ef/0x670
vfs_write+0x506/0x1470
ksys_write+0xfd/0x230
__x64_sys_write+0x76/0xc0
x64_sys_call+0x213/0x1810
do_syscall_64+0xee/0xfc0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Freed by task 4314:
kasan_save_stack+0x2a/0x50
kasan_save_track+0x18/0x40
kasan_save_free_info+0x3f/0x50
__kasan_slab_free+0x67/0x80
kfree+0x225/0x6c0
scsi_target_dev_release+0x3d/0x60 [scsi_mod]
device_release+0xa3/0x220
kobject_cleanup+0x105/0x3a0
kobject_put+0x72/0xd0
put_device+0x17/0x20
scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]
device_release+0xa3/0x220
kobject_cleanup+0x105/0x3a0
kobject_put+0x72/0xd0
put_device+0x17/0x20
scsi_device_put+0x7f/0xc0 [scsi_mod]
sdev_store_delete+0xa5/0x120 [scsi_mod]
dev_attr_store+0x43/0x80
sysfs_kf_write+0xde/0x140
kernfs_fop_write_iter+0x3ef/0x670
vfs_write+0x506/0x1470
ksys_write+0xfd/0x230
__x64_sys_write+0x76/0xc0
x64_sys_call+0x213/0x1810 |
|---|
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|
| CNA |
Linux |
Linux |
affected 5e928f77a09a07f9dd595bb8a489965d69a83458 5649b46af8b167259e8a8e4e7eb3667ce74554b5 git |
Not specified |
| CNA |
Linux |
Linux |
affected 5e928f77a09a07f9dd595bb8a489965d69a83458 39f2d86f2ddde8d1beda05732f30c7cd945e0b5a git |
Not specified |
| CNA |
Linux |
Linux |
affected 5e928f77a09a07f9dd595bb8a489965d69a83458 c6febaacfb8a0aec7d771a0e6c21cd68102d5679 git |
Not specified |
| CNA |
Linux |
Linux |
affected 5e928f77a09a07f9dd595bb8a489965d69a83458 bb081fd37f8312651140d7429557258afe51693d git |
Not specified |
| CNA |
Linux |
Linux |
affected 5e928f77a09a07f9dd595bb8a489965d69a83458 cf65a77c0f9531eb6cfb97cc040974d2d8fff043 git |
Not specified |
| CNA |
Linux |
Linux |
affected 5e928f77a09a07f9dd595bb8a489965d69a83458 29ab768277617452d88c0607c9299cdc63b6e9ff git |
Not specified |
| CNA |
Linux |
Linux |
affected 2.6.32 |
Not specified |
| CNA |
Linux |
Linux |
unaffected 2.6.32 semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.1.167 6.1.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.6.130 6.6.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.12.78 6.12.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.18.20 6.18.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.19.10 6.19.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 7.0-rc5 * original_commit_for_fix |
Not specified |
References
| Reference | Source | Link | Tags |
|---|
| git.kernel.org/stable/c/c6febaacfb8a0aec7d771a0e6c21cd68102d5679 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/cf65a77c0f9531eb6cfb97cc040974d2d8fff043 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/bb081fd37f8312651140d7429557258afe51693d |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/5649b46af8b167259e8a8e4e7eb3667ce74554b5 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/39f2d86f2ddde8d1beda05732f30c7cd945e0b5a |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/29ab768277617452d88c0607c9299cdc63b6e9ff |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.
