{"id":"CVE-2023-54134","summary":"autofs: fix memory leak of waitqueues in autofs_catatonic_mode","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nautofs: fix memory leak of waitqueues in autofs_catatonic_mode\n\nSyzkaller reports a memory leak:\n\nBUG: memory leak\nunreferenced object 0xffff88810b279e00 (size 96):\n  comm \"syz-executor399\", pid 3631, jiffies 4294964921 (age 23.870s)\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff  ..........'.....\n    08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00  ..'.............\n  backtrace:\n    [\u003cffffffff814cfc90\u003e] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046\n    [\u003cffffffff81bb75ca\u003e] kmalloc include/linux/slab.h:576 [inline]\n    [\u003cffffffff81bb75ca\u003e] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378\n    [\u003cffffffff81bb88a7\u003e] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593\n    [\u003cffffffff81bb8c33\u003e] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619\n    [\u003cffffffff81bb6972\u003e] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897\n    [\u003cffffffff81bb6a95\u003e] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910\n    [\u003cffffffff81602a9c\u003e] vfs_ioctl fs/ioctl.c:51 [inline]\n    [\u003cffffffff81602a9c\u003e] __do_sys_ioctl fs/ioctl.c:870 [inline]\n    [\u003cffffffff81602a9c\u003e] __se_sys_ioctl fs/ioctl.c:856 [inline]\n    [\u003cffffffff81602a9c\u003e] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856\n    [\u003cffffffff84608225\u003e] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n    [\u003cffffffff84608225\u003e] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n    [\u003cffffffff84800087\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nautofs_wait_queue structs should be freed if their wait_ctr becomes zero.\nOtherwise they will be lost.\n\nIn this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new\nwaitqueue struct is allocated in autofs_wait(), its initial wait_ctr\nequals 2. After that wait_event_killable() is interrupted (it returns\n-ERESTARTSYS), so that 'wq-\u003ename.name == NULL' condition may be not\nsatisfied. Actually, this condition can be satisfied when\nautofs_wait_release() or autofs_catatonic_mode() is called and, what is\nalso important, wait_ctr is decremented in those places. Upon the exit of\nautofs_wait(), wait_ctr is decremented to 1. Then the unmounting process\nbegins: kill_sb calls autofs_catatonic_mode(), which should have freed the\nwaitqueues, but it only decrements its usage counter to zero which is not\na correct behaviour.\n\nedit:imk\nThis description is of course not correct. The umount performed as a result\nof an expire is a umount of a mount that has been automounted, it's not the\nautofs mount itself. They happen independently, usually after everything\nmounted within the autofs file system has been expired away. If everything\nhasn't been expired away the automount daemon can still exit leaving mounts\nin place. But expires done in both cases will result in a notification that\ncalls autofs_wait_release() with a result status. The problem case is the\nsummary execution of of the automount daemon. In this case any waiting\nprocesses won't be woken up until either they are terminated or the mount\nis umounted.\nend edit: imk\n\nSo in catatonic mode we should free waitqueues which counter becomes zero.\n\nedit: imk\nInitially I was concerned that the calling of autofs_wait_release() and\nautofs_catatonic_mode() was not mutually exclusive but that can't be the\ncase (obviously) because the queue entry (or entries) is removed from the\nlist when either of these two functions are called. Consequently the wait\nentry will be freed by only one of these functions or by the woken process\nin autofs_wait() depending on the order of the calls.\nend edit: imk","modified":"2026-03-31T17:29:54.128188668Z","published":"2025-12-24T13:06:50.627Z","related":["SUSE-SU-2026:0263-1","SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:0317-1","SUSE-SU-2026:0473-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54134.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1985e8eae8627f02e3364690c5fed7af1c46be55"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6079dc77c6f32936e8a6766ee8334ae3c99f4504"},{"type":"WEB","url":"https://git.kernel.org/stable/c/696b625f3f85d80fca48c24d2948fbc451e74366"},{"type":"WEB","url":"https://git.kernel.org/stable/c/69ddafc7a7afd8401bab53eff5af813fa0d368a2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/71eeddcad7342292c19042c290c477697acaccab"},{"type":"WEB","url":"https://git.kernel.org/stable/c/726deae613bc1b6096ad3b61cc1e63e33330fbc2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/976abbdc120a97049b9133e60fa7b29627d11de4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ccbe77f7e45dfb4420f7f531b650c00c6e9c7507"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54134.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54134"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"296f7bf78bc5c7a4d772aea580ce800d14040d1a"},{"fixed":"1985e8eae8627f02e3364690c5fed7af1c46be55"},{"fixed":"976abbdc120a97049b9133e60fa7b29627d11de4"},{"fixed":"6079dc77c6f32936e8a6766ee8334ae3c99f4504"},{"fixed":"69ddafc7a7afd8401bab53eff5af813fa0d368a2"},{"fixed":"71eeddcad7342292c19042c290c477697acaccab"},{"fixed":"726deae613bc1b6096ad3b61cc1e63e33330fbc2"},{"fixed":"696b625f3f85d80fca48c24d2948fbc451e74366"},{"fixed":"ccbe77f7e45dfb4420f7f531b650c00c6e9c7507"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54134.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.27"},{"fixed":"4.14.326"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.15.0"},{"fixed":"4.19.295"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.257"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.197"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.133"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.55"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.5.5"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54134.json"}}],"schema_version":"1.7.5"}