CVE-2023-53823
Description
In the Linux kernel, the following vulnerability has been resolved:
block/rq_qos: protect rq_qos apis with a new lock
commit 50e34d78815e ("block: disable the elevator int del_gendisk") move rq_qos_exit() from disk_release() to del_gendisk(), this will introduce some problems:
1) If rq_qos_add() is triggered by enabling iocost/iolatency through cgroupfs, then it can concurrent with del_gendisk(), it's not safe to write 'q->rq_qos' concurrently.
2) Activate cgroup policy that is relied on rq_qos will call rq_qos_add() and blkcg_activate_policy(), and if rq_qos_exit() is called in the middle, null-ptr-dereference will be triggered in blkcg_activate_policy().
3) blkg_conf_open_bdev() can call blkdev_get_no_open() first to find the disk, then if rq_qos_exit() from del_gendisk() is done before rq_qos_add(), then memory will be leaked.
This patch add a new disk level mutex 'rq_qos_mutex':
1) The lock will protect rq_qos_exit() directly.
2) For wbt that doesn't relied on blk-cgroup, rq_qos_add() can only be called from disk initialization for now because wbt can't be destructed until rq_qos_exit(), so it's safe not to protect wbt for now. Hoever, in case that rq_qos dynamically destruction is supported in the furture, this patch also protect rq_qos_add() from wbt_init() directly, this is enough because blk-sysfs already synchronize writers with disk removal.
3) For iocost and iolatency, in order to synchronize disk removal and cgroup configuration, the lock is held after blkdev_get_no_open() from blkg_conf_open_bdev(), and is released in blkg_conf_exit(). In order to fix the above memory leak, disk_live() is checked after holding the new lock.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel's block layer rq_qos subsystem could lead to use-after-free or memory leaks when disk removal and cgroup I/O controller configuration occur concurrently.
Vulnerability
A race condition exists in the Linux kernel's block layer request quality-of-service (rq_qos) subsystem. The issue arises because rq_qos_exit() was moved from disk_release() to del_gendisk(), allowing concurrent execution of which can now overlap with rq_qos_add() calls triggered by cgroupfs operations for iocost or iolatency. This concurrent write to q->rq_qos is not safe [1].
Exploitation
An attacker with the ability to trigger disk removal (e.g., via device hot-unplug or namespace deletion) while simultaneously enabling or disabling I/O controllers through cgroupfs can exploit this race. No special privileges beyond access to cgroupfs and device management are required. The race window is tight but exploitable [1].
Impact
Successful exploitation can lead to a NULL-pointer dereference in blkcg_activate_policy() or a memory leak when blkg_conf_open_bdev() obtains a disk reference but rq_qos_add() is never called. An attacker could cause a denial of service (system crash) or potentially escalate privileges if the memory corruption is further leveraged [1].
Mitigation
The fix introduces a new disk-level mutex (rq_qos_mutex) to serialize rq_qos_add() and rq_qos_exit() calls. The patch has been applied to the Linux kernel stable tree [1]. Users should update to a kernel version containing commit a13bd91be22318768d55470cbc0b0f4488ef9edf.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
216398b4638b5a13bd91be223Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.