{"id":"CVE-2023-53810","summary":"blk-mq: release crypto keyslot before reporting I/O complete","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: release crypto keyslot before reporting I/O complete\n\nOnce all I/O using a blk_crypto_key has completed, filesystems can call\nblk_crypto_evict_key().  However, the block layer currently doesn't call\nblk_crypto_put_keyslot() until the request is being freed, which happens\nafter upper layers have been told (via bio_endio()) the I/O has\ncompleted.  This causes a race condition where blk_crypto_evict_key()\ncan see 'slot_refs != 0' without there being an actual bug.\n\nThis makes __blk_crypto_evict_key() hit the\n'WARN_ON_ONCE(atomic_read(&slot-\u003eslot_refs) != 0)' and return without\ndoing anything, eventually causing a use-after-free in\nblk_crypto_reprogram_all_keys().  (This is a very rare bug and has only\nbeen seen when per-file keys are being used with fscrypt.)\n\nThere are two options to fix this: either release the keyslot before\nbio_endio() is called on the request's last bio, or make\n__blk_crypto_evict_key() ignore slot_refs.  Let's go with the first\nsolution, since it preserves the ability to report bugs (via\nWARN_ON_ONCE) where a key is evicted while still in-use.","modified":"2026-03-20T12:33:21.166503Z","published":"2025-12-09T00:01:08.062Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53810.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/7d206ec7a04e8545828191b6ea8b49d3ea61391f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/874bdf43b4a7dc5463c31508f62b3e42eb237b08"},{"type":"WEB","url":"https://git.kernel.org/stable/c/92d5d233b9ff531cf9cc36ab4251779e07adb633"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9cd1e566676bbcb8a126acd921e4e194e6339603"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b278570e2c59d538216f8b656e97680188a8fba4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d206f79d9cd658665b37ce8134c6ec849ac7af0c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53810.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53810"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a892c8d52c02284076fbbacae6692aa5c5807d11"},{"fixed":"874bdf43b4a7dc5463c31508f62b3e42eb237b08"},{"fixed":"d206f79d9cd658665b37ce8134c6ec849ac7af0c"},{"fixed":"7d206ec7a04e8545828191b6ea8b49d3ea61391f"},{"fixed":"b278570e2c59d538216f8b656e97680188a8fba4"},{"fixed":"92d5d233b9ff531cf9cc36ab4251779e07adb633"},{"fixed":"9cd1e566676bbcb8a126acd921e4e194e6339603"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53810.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.8.0"},{"fixed":"5.10.180"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.111"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.28"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.2.15"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.3.0"},{"fixed":"6.3.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53810.json"}}],"schema_version":"1.7.5"}