CVE-2023-54235
Description
In the Linux kernel, the following vulnerability has been resolved:
PCI/DOE: Fix destroy_work_on_stack() race
The following debug object splat was observed in testing:
ODEBUG: free active (active state 0) object: 0000000097d23782 object type: work_struct hint: doe_statemachine_work+0x0/0x510 WARNING: CPU: 1 PID: 71 at lib/debugobjects.c:514 debug_print_object+0x7d/0xb0 ... Workqueue: pci 0000:36:00.0 DOE [1 doe_statemachine_work RIP: 0010:debug_print_object+0x7d/0xb0 ... Call Trace: ? debug_print_object+0x7d/0xb0 ? __pfx_doe_statemachine_work+0x10/0x10 debug_object_free.part.0+0x11b/0x150 doe_statemachine_work+0x45e/0x510 process_one_work+0x1d4/0x3c0
This occurs because destroy_work_on_stack() was called after signaling the completion in the calling thread. This creates a race between destroy_work_on_stack() and the task->work struct going out of scope in pci_doe().
Signal the work complete after destroying the work struct. This is safe because signal_task_complete() is the final thing the work item does and the workqueue code is careful not to access the work struct after.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel's PCI DOE subsystem can cause a use-after-free when destroy_work_on_stack() is called before the work item completes.
Vulnerability
CVE-2023-54235 is a race condition in the Linux kernel's PCI Data Object Exchange (DOE) subsystem. The bug occurs because destroy_work_on_stack() was called after signaling completion in the calling thread, creating thread, creating a race between the destruction of the work struct and its use by the workqueue. This can lead to a use-after-free condition where the work struct is accessed after it has been freed.
Exploitation
An attacker would need to trigger the DOE functionality on a PCI device, which requires local access to the system and the ability to interact with PCI devices. The race window is narrow, but a local attacker could potentially exploit this to corrupt memory or cause a denial of service.
Impact
Successful exploitation could lead to a system crash (denial of service) or, in more severe cases, arbitrary code execution in kernel context. The vulnerability was observed to cause a debug object splat warning, indicating memory corruption.
Mitigation
The fix, committed in the Linux kernel moves the destroy_work_on_stack() call to after the work item signals completion, ensuring the work struct remains valid until the workqueue is done with it. Users should apply the stable kernel updates containing this fix [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
4d96799ee3b78c4f9c0a3a6df19cf3ba16dcce3a3a097eaebVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.