ghsa-p96p-6mvh-mgpr
Vulnerability from github
Published
2025-10-01 12:30
Modified
2025-10-01 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

cgroup,freezer: hold cpu_hotplug_lock before freezer_mutex

syzbot is reporting circular locking dependency between cpu_hotplug_lock and freezer_mutex, for commit f5d39b020809 ("freezer,sched: Rewrite core freezer logic") replaced atomic_inc() in freezer_apply_state() with static_branch_inc() which holds cpu_hotplug_lock.

cpu_hotplug_lock => cgroup_threadgroup_rwsem => freezer_mutex

cgroup_file_write() { cgroup_procs_write() { __cgroup_procs_write() { cgroup_procs_write_start() { cgroup_attach_lock() { cpus_read_lock() { percpu_down_read(&cpu_hotplug_lock); } percpu_down_write(&cgroup_threadgroup_rwsem); } } cgroup_attach_task() { cgroup_migrate() { cgroup_migrate_execute() { freezer_attach() { mutex_lock(&freezer_mutex); (...snipped...) } } } } (...snipped...) } } }

freezer_mutex => cpu_hotplug_lock

cgroup_file_write() { freezer_write() { freezer_change_state() { mutex_lock(&freezer_mutex); freezer_apply_state() { static_branch_inc(&freezer_active) { static_key_slow_inc() { cpus_read_lock(); static_key_slow_inc_cpuslocked(); cpus_read_unlock(); } } } mutex_unlock(&freezer_mutex); } } }

Swap locking order by moving cpus_read_lock() in freezer_apply_state() to before mutex_lock(&freezer_mutex) in freezer_change_state().

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53522"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T12:15:56Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup,freezer: hold cpu_hotplug_lock before freezer_mutex\n\nsyzbot is reporting circular locking dependency between cpu_hotplug_lock\nand freezer_mutex, for commit f5d39b020809 (\"freezer,sched: Rewrite core\nfreezer logic\") replaced atomic_inc() in freezer_apply_state() with\nstatic_branch_inc() which holds cpu_hotplug_lock.\n\ncpu_hotplug_lock =\u003e cgroup_threadgroup_rwsem =\u003e freezer_mutex\n\n  cgroup_file_write() {\n    cgroup_procs_write() {\n      __cgroup_procs_write() {\n        cgroup_procs_write_start() {\n          cgroup_attach_lock() {\n            cpus_read_lock() {\n              percpu_down_read(\u0026cpu_hotplug_lock);\n            }\n            percpu_down_write(\u0026cgroup_threadgroup_rwsem);\n          }\n        }\n        cgroup_attach_task() {\n          cgroup_migrate() {\n            cgroup_migrate_execute() {\n              freezer_attach() {\n                mutex_lock(\u0026freezer_mutex);\n                (...snipped...)\n              }\n            }\n          }\n        }\n        (...snipped...)\n      }\n    }\n  }\n\nfreezer_mutex =\u003e cpu_hotplug_lock\n\n  cgroup_file_write() {\n    freezer_write() {\n      freezer_change_state() {\n        mutex_lock(\u0026freezer_mutex);\n        freezer_apply_state() {\n          static_branch_inc(\u0026freezer_active) {\n            static_key_slow_inc() {\n              cpus_read_lock();\n              static_key_slow_inc_cpuslocked();\n              cpus_read_unlock();\n            }\n          }\n        }\n        mutex_unlock(\u0026freezer_mutex);\n      }\n    }\n  }\n\nSwap locking order by moving cpus_read_lock() in freezer_apply_state()\nto before mutex_lock(\u0026freezer_mutex) in freezer_change_state().",
  "id": "GHSA-p96p-6mvh-mgpr",
  "modified": "2025-10-01T12:30:31Z",
  "published": "2025-10-01T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53522"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/34fbb7b45bae20b551dda24337c7761ca13ce69d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3756171b97c307d9df8b8ded1d883eec30172085"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/57dcd64c7e036299ef526b400a8d12b8a2352f26"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.