[SRU][F][PATCH 0/1] CVE-2023-52854
alice.munduruca at canonical.com
alice.munduruca at canonical.com
Mon Aug 11 18:38:52 UTC 2025
From: "Alice C. Munduruca" <alice.munduruca at canonical.com>
[ Impact ]
In certain high user load scenarios, it is possible for the `refcnt` attribute
in `struct parallel_data` to be freed before it is used. As a result, we should
add a check before freeing `parallel_data`.
To limit the invasiveness of the context changes required to apply the fix,
`refcount_dec_and_test` was changed to `atomic_dec_and_test`, as this provides
a more solid ordering guarantee, and more importantly limits the scope of changes
to the `padata_free_shell` function.
[ Fix ]
Focal: Backported from torvalds/linux --
removing a superfluous local variable, which caused the patch not to apply and
changed the type of dec and test function to match the type of `refcnt`
Bionic: Unaffected by commit bbefa1dd, which introduces the bug.
Xenial: Unaffected also.
[ Tests ]
Compile and boot tested.
[ What could go wrong ]
Given the limited scope of the changes to padata, it is likely that the only
issues that could arise from this fix would be for it not to work, i.e. for
certain situations to cause UAF and potential instability bugs.
WangJinchao (1):
padata: Fix refcnt handling in padata_free_shell()
kernel/padata.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--
2.48.1
More information about the kernel-team
mailing list