fkie_cve-2023-54134
Vulnerability from fkie_nvd
Published
2025-12-24 13:16
Modified
2025-12-24 13:16
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: autofs: fix memory leak of waitqueues in autofs_catatonic_mode Syzkaller reports a memory leak: BUG: memory leak unreferenced object 0xffff88810b279e00 (size 96): comm "syz-executor399", pid 3631, jiffies 4294964921 (age 23.870s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'..... 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'............. backtrace: [<ffffffff814cfc90>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046 [<ffffffff81bb75ca>] kmalloc include/linux/slab.h:576 [inline] [<ffffffff81bb75ca>] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378 [<ffffffff81bb88a7>] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593 [<ffffffff81bb8c33>] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619 [<ffffffff81bb6972>] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897 [<ffffffff81bb6a95>] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910 [<ffffffff81602a9c>] vfs_ioctl fs/ioctl.c:51 [inline] [<ffffffff81602a9c>] __do_sys_ioctl fs/ioctl.c:870 [inline] [<ffffffff81602a9c>] __se_sys_ioctl fs/ioctl.c:856 [inline] [<ffffffff81602a9c>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856 [<ffffffff84608225>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84608225>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd autofs_wait_queue structs should be freed if their wait_ctr becomes zero. Otherwise they will be lost. In this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new waitqueue struct is allocated in autofs_wait(), its initial wait_ctr equals 2. After that wait_event_killable() is interrupted (it returns -ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not satisfied. Actually, this condition can be satisfied when autofs_wait_release() or autofs_catatonic_mode() is called and, what is also important, wait_ctr is decremented in those places. Upon the exit of autofs_wait(), wait_ctr is decremented to 1. Then the unmounting process begins: kill_sb calls autofs_catatonic_mode(), which should have freed the waitqueues, but it only decrements its usage counter to zero which is not a correct behaviour. edit:imk This description is of course not correct. The umount performed as a result of an expire is a umount of a mount that has been automounted, it's not the autofs mount itself. They happen independently, usually after everything mounted within the autofs file system has been expired away. If everything hasn't been expired away the automount daemon can still exit leaving mounts in place. But expires done in both cases will result in a notification that calls autofs_wait_release() with a result status. The problem case is the summary execution of of the automount daemon. In this case any waiting processes won't be woken up until either they are terminated or the mount is umounted. end edit: imk So in catatonic mode we should free waitqueues which counter becomes zero. edit: imk Initially I was concerned that the calling of autofs_wait_release() and autofs_catatonic_mode() was not mutually exclusive but that can't be the case (obviously) because the queue entry (or entries) is removed from the list when either of these two functions are called. Consequently the wait entry will be freed by only one of these functions or by the woken process in autofs_wait() depending on the order of the calls. end edit: imk
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1985e8eae8627f02e3364690c5fed7af1c46be55
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6079dc77c6f32936e8a6766ee8334ae3c99f4504
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/696b625f3f85d80fca48c24d2948fbc451e74366
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/69ddafc7a7afd8401bab53eff5af813fa0d368a2
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/71eeddcad7342292c19042c290c477697acaccab
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/726deae613bc1b6096ad3b61cc1e63e33330fbc2
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/976abbdc120a97049b9133e60fa7b29627d11de4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ccbe77f7e45dfb4420f7f531b650c00c6e9c7507
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nautofs: fix memory leak of waitqueues in autofs_catatonic_mode\n\nSyzkaller reports a memory leak:\n\nBUG: memory leak\nunreferenced object 0xffff88810b279e00 (size 96):\n  comm \"syz-executor399\", pid 3631, jiffies 4294964921 (age 23.870s)\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff  ..........\u0027.....\n    08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00  ..\u0027.............\n  backtrace:\n    [\u003cffffffff814cfc90\u003e] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046\n    [\u003cffffffff81bb75ca\u003e] kmalloc include/linux/slab.h:576 [inline]\n    [\u003cffffffff81bb75ca\u003e] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378\n    [\u003cffffffff81bb88a7\u003e] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593\n    [\u003cffffffff81bb8c33\u003e] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619\n    [\u003cffffffff81bb6972\u003e] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897\n    [\u003cffffffff81bb6a95\u003e] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910\n    [\u003cffffffff81602a9c\u003e] vfs_ioctl fs/ioctl.c:51 [inline]\n    [\u003cffffffff81602a9c\u003e] __do_sys_ioctl fs/ioctl.c:870 [inline]\n    [\u003cffffffff81602a9c\u003e] __se_sys_ioctl fs/ioctl.c:856 [inline]\n    [\u003cffffffff81602a9c\u003e] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856\n    [\u003cffffffff84608225\u003e] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n    [\u003cffffffff84608225\u003e] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n    [\u003cffffffff84800087\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nautofs_wait_queue structs should be freed if their wait_ctr becomes zero.\nOtherwise they will be lost.\n\nIn this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new\nwaitqueue struct is allocated in autofs_wait(), its initial wait_ctr\nequals 2. After that wait_event_killable() is interrupted (it returns\n-ERESTARTSYS), so that \u0027wq-\u003ename.name == NULL\u0027 condition may be not\nsatisfied. Actually, this condition can be satisfied when\nautofs_wait_release() or autofs_catatonic_mode() is called and, what is\nalso important, wait_ctr is decremented in those places. Upon the exit of\nautofs_wait(), wait_ctr is decremented to 1. Then the unmounting process\nbegins: kill_sb calls autofs_catatonic_mode(), which should have freed the\nwaitqueues, but it only decrements its usage counter to zero which is not\na correct behaviour.\n\nedit:imk\nThis description is of course not correct. The umount performed as a result\nof an expire is a umount of a mount that has been automounted, it\u0027s not the\nautofs mount itself. They happen independently, usually after everything\nmounted within the autofs file system has been expired away. If everything\nhasn\u0027t been expired away the automount daemon can still exit leaving mounts\nin place. But expires done in both cases will result in a notification that\ncalls autofs_wait_release() with a result status. The problem case is the\nsummary execution of of the automount daemon. In this case any waiting\nprocesses won\u0027t be woken up until either they are terminated or the mount\nis umounted.\nend edit: imk\n\nSo in catatonic mode we should free waitqueues which counter becomes zero.\n\nedit: imk\nInitially I was concerned that the calling of autofs_wait_release() and\nautofs_catatonic_mode() was not mutually exclusive but that can\u0027t be the\ncase (obviously) because the queue entry (or entries) is removed from the\nlist when either of these two functions are called. Consequently the wait\nentry will be freed by only one of these functions or by the woken process\nin autofs_wait() depending on the order of the calls.\nend edit: imk"
    }
  ],
  "id": "CVE-2023-54134",
  "lastModified": "2025-12-24T13:16:15.383",
  "metrics": {},
  "published": "2025-12-24T13:16:15.383",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1985e8eae8627f02e3364690c5fed7af1c46be55"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6079dc77c6f32936e8a6766ee8334ae3c99f4504"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/696b625f3f85d80fca48c24d2948fbc451e74366"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/69ddafc7a7afd8401bab53eff5af813fa0d368a2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/71eeddcad7342292c19042c290c477697acaccab"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/726deae613bc1b6096ad3b61cc1e63e33330fbc2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/976abbdc120a97049b9133e60fa7b29627d11de4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ccbe77f7e45dfb4420f7f531b650c00c6e9c7507"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Received"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.