CVE-2026-23452

In the Linux kernel, the following vulnerability has been resolved:

PM: runtime: Fix a race condition related to device removal

The following code in pmruntimework() may dereference the dev->parent pointer after the parent device has been freed:

/* Maybe the parent is now able to suspend. */
if (parent && !parent->power.ignore_children) {
    spin_unlock(&dev->power.lock);

    spin_lock(&parent->power.lock);
    rpm_idle(parent, RPM_ASYNC);
    spin_unlock(&parent->power.lock);

    spin_lock(&dev->power.lock);
}

Fix this by inserting a flushwork() call in pmruntime_remove().

Without this patch blktest block/001 triggers the following complaint sporadically:

BUG: KASAN: slab-use-after-free in lockacquire+0x70/0x160 Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 Workqueue: pm pmruntimework Call Trace: <TASK> dumpstacklvl+0x61/0x80 printaddressdescription.constprop.0+0x8b/0x310 printreport+0xfd/0x1d7 kasan_report+0xd8/0x1d0 _kasancheckbyte+0x42/0x60 lockacquire.part.0+0x38/0x230 lockacquire+0x70/0x160 rawspinlock+0x36/0x50 rpmsuspend+0xc6a/0xfe0 rpmidle+0x578/0x770 pmruntimework+0xee/0x120 processonework+0xde3/0x1410 workerthread+0x5eb/0xfe0 kthread+0x37b/0x480 retfromfork+0x6cb/0x920 retfromforkasm+0x11/0x20 </TASK>

Allocated by task 4314: kasansavestack+0x2a/0x50 kasansavetrack+0x18/0x40 kasansavealloc_info+0x3d/0x50 __kasan_kmalloc+0xa0/0xb0 __kmallocnoprof+0x311/0x990 scsialloctarget+0x122/0xb60 [scsimod] __scsiscantarget+0x101/0x460 [scsimod] scsiscan_channel+0x179/0x1c0 [scsimod] scsiscanhostselected+0x259/0x2d0 [scsimod] storescan+0x2d2/0x390 [scsimod] devattrstore+0x43/0x80 sysfskfwrite+0xde/0x140 kernfsfopwriteiter+0x3ef/0x670 vfswrite+0x506/0x1470 ksyswrite+0xfd/0x230 __x64syswrite+0x76/0xc0 x64syscall+0x213/0x1810 dosyscall64+0xee/0xfc0 entrySYSCALL64afterhwframe+0x4b/0x53

Freed by task 4314: kasansavestack+0x2a/0x50 kasansavetrack+0x18/0x40 kasansavefree_info+0x3f/0x50 __kasanslabfree+0x67/0x80 kfree+0x225/0x6c0 scsitargetdevrelease+0x3d/0x60 [scsimod] devicerelease+0xa3/0x220 kobjectcleanup+0x105/0x3a0 kobjectput+0x72/0xd0 putdevice+0x17/0x20 scsidevicedevrelease+0xacf/0x12c0 [scsimod] devicerelease+0xa3/0x220 kobjectcleanup+0x105/0x3a0 kobjectput+0x72/0xd0 putdevice+0x17/0x20 scsideviceput+0x7f/0xc0 [scsimod] sdevstoredelete+0xa5/0x120 [scsimod] devattrstore+0x43/0x80 sysfskfwrite+0xde/0x140 kernfsfopwriteiter+0x3ef/0x670 vfswrite+0x506/0x1470 ksys_write+0xfd/0x230 __x64syswrite+0x76/0xc0 x64syscall+0x213/0x1810