CVE-2023-54316 (GCVE-0-2023-54316)
Vulnerability from cvelistv5
Published
2025-12-30 12:23
Modified
2025-12-30 12:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
refscale: Fix uninitalized use of wait_queue_head_t
Running the refscale test occasionally crashes the kernel with the
following error:
[ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8
[ 8569.952900] #PF: supervisor read access in kernel mode
[ 8569.952902] #PF: error_code(0x0000) - not-present page
[ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0
[ 8569.952910] Oops: 0000 [#1] PREEMPT_RT SMP NOPTI
[ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021
[ 8569.952917] RIP: 0010:prepare_to_wait_event+0x101/0x190
:
[ 8569.952940] Call Trace:
[ 8569.952941] <TASK>
[ 8569.952944] ref_scale_reader+0x380/0x4a0 [refscale]
[ 8569.952959] kthread+0x10e/0x130
[ 8569.952966] ret_from_fork+0x1f/0x30
[ 8569.952973] </TASK>
The likely cause is that init_waitqueue_head() is called after the call to
the torture_create_kthread() function that creates the ref_scale_reader
kthread. Although this init_waitqueue_head() call will very likely
complete before this kthread is created and starts running, it is
possible that the calling kthread will be delayed between the calls to
torture_create_kthread() and init_waitqueue_head(). In this case, the
new kthread will use the waitqueue head before it is properly initialized,
which is not good for the kernel's health and well-being.
The above crash happened here:
static inline void __add_wait_queue(...)
{
:
if (!(wq->flags & WQ_FLAG_PRIORITY)) <=== Crash here
The offset of flags from list_head entry in wait_queue_entry is
-0x18. If reader_tasks[i].wq.head.next is NULL as allocated reader_task
structure is zero initialized, the instruction will try to access address
0xffffffffffffffe8, which is exactly the fault address listed above.
This commit therefore invokes init_waitqueue_head() before creating
the kthread.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 653ed64b01dc5989f8f579d0038e987476c2c023 Version: 653ed64b01dc5989f8f579d0038e987476c2c023 Version: 653ed64b01dc5989f8f579d0038e987476c2c023 Version: 653ed64b01dc5989f8f579d0038e987476c2c023 Version: 653ed64b01dc5989f8f579d0038e987476c2c023 Version: 653ed64b01dc5989f8f579d0038e987476c2c023 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/rcu/refscale.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "066fbd8bc981cf49923bf828b7b4092894df577f",
"status": "affected",
"version": "653ed64b01dc5989f8f579d0038e987476c2c023",
"versionType": "git"
},
{
"lessThan": "ec9d118ad99dc6f1bc674c1e649c25533d89b9ba",
"status": "affected",
"version": "653ed64b01dc5989f8f579d0038e987476c2c023",
"versionType": "git"
},
{
"lessThan": "e0322a255a2242dbe4686b6176b3c83dea490529",
"status": "affected",
"version": "653ed64b01dc5989f8f579d0038e987476c2c023",
"versionType": "git"
},
{
"lessThan": "e5de968a9032366198720eac4f368ed7e690b3ef",
"status": "affected",
"version": "653ed64b01dc5989f8f579d0038e987476c2c023",
"versionType": "git"
},
{
"lessThan": "70a2856fd1d0a040c876ba9e3f89b949ae92e4dd",
"status": "affected",
"version": "653ed64b01dc5989f8f579d0038e987476c2c023",
"versionType": "git"
},
{
"lessThan": "f5063e8948dad7f31adb007284a5d5038ae31bb8",
"status": "affected",
"version": "653ed64b01dc5989f8f579d0038e987476c2c023",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/rcu/refscale.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrefscale: Fix uninitalized use of wait_queue_head_t\n\nRunning the refscale test occasionally crashes the kernel with the\nfollowing error:\n\n[ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8\n[ 8569.952900] #PF: supervisor read access in kernel mode\n[ 8569.952902] #PF: error_code(0x0000) - not-present page\n[ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0\n[ 8569.952910] Oops: 0000 [#1] PREEMPT_RT SMP NOPTI\n[ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021\n[ 8569.952917] RIP: 0010:prepare_to_wait_event+0x101/0x190\n :\n[ 8569.952940] Call Trace:\n[ 8569.952941] \u003cTASK\u003e\n[ 8569.952944] ref_scale_reader+0x380/0x4a0 [refscale]\n[ 8569.952959] kthread+0x10e/0x130\n[ 8569.952966] ret_from_fork+0x1f/0x30\n[ 8569.952973] \u003c/TASK\u003e\n\nThe likely cause is that init_waitqueue_head() is called after the call to\nthe torture_create_kthread() function that creates the ref_scale_reader\nkthread. Although this init_waitqueue_head() call will very likely\ncomplete before this kthread is created and starts running, it is\npossible that the calling kthread will be delayed between the calls to\ntorture_create_kthread() and init_waitqueue_head(). In this case, the\nnew kthread will use the waitqueue head before it is properly initialized,\nwhich is not good for the kernel\u0027s health and well-being.\n\nThe above crash happened here:\n\n\tstatic inline void __add_wait_queue(...)\n\t{\n\t\t:\n\t\tif (!(wq-\u003eflags \u0026 WQ_FLAG_PRIORITY)) \u003c=== Crash here\n\nThe offset of flags from list_head entry in wait_queue_entry is\n-0x18. If reader_tasks[i].wq.head.next is NULL as allocated reader_task\nstructure is zero initialized, the instruction will try to access address\n0xffffffffffffffe8, which is exactly the fault address listed above.\n\nThis commit therefore invokes init_waitqueue_head() before creating\nthe kthread."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:46.526Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/066fbd8bc981cf49923bf828b7b4092894df577f"
},
{
"url": "https://git.kernel.org/stable/c/ec9d118ad99dc6f1bc674c1e649c25533d89b9ba"
},
{
"url": "https://git.kernel.org/stable/c/e0322a255a2242dbe4686b6176b3c83dea490529"
},
{
"url": "https://git.kernel.org/stable/c/e5de968a9032366198720eac4f368ed7e690b3ef"
},
{
"url": "https://git.kernel.org/stable/c/70a2856fd1d0a040c876ba9e3f89b949ae92e4dd"
},
{
"url": "https://git.kernel.org/stable/c/f5063e8948dad7f31adb007284a5d5038ae31bb8"
}
],
"title": "refscale: Fix uninitalized use of wait_queue_head_t",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54316",
"datePublished": "2025-12-30T12:23:46.526Z",
"dateReserved": "2025-12-30T12:06:44.531Z",
"dateUpdated": "2025-12-30T12:23:46.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-54316\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:16:20.867\",\"lastModified\":\"2025-12-30T13:16:20.867\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrefscale: Fix uninitalized use of wait_queue_head_t\\n\\nRunning the refscale test occasionally crashes the kernel with the\\nfollowing error:\\n\\n[ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8\\n[ 8569.952900] #PF: supervisor read access in kernel mode\\n[ 8569.952902] #PF: error_code(0x0000) - not-present page\\n[ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0\\n[ 8569.952910] Oops: 0000 [#1] PREEMPT_RT SMP NOPTI\\n[ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021\\n[ 8569.952917] RIP: 0010:prepare_to_wait_event+0x101/0x190\\n :\\n[ 8569.952940] Call Trace:\\n[ 8569.952941] \u003cTASK\u003e\\n[ 8569.952944] ref_scale_reader+0x380/0x4a0 [refscale]\\n[ 8569.952959] kthread+0x10e/0x130\\n[ 8569.952966] ret_from_fork+0x1f/0x30\\n[ 8569.952973] \u003c/TASK\u003e\\n\\nThe likely cause is that init_waitqueue_head() is called after the call to\\nthe torture_create_kthread() function that creates the ref_scale_reader\\nkthread. Although this init_waitqueue_head() call will very likely\\ncomplete before this kthread is created and starts running, it is\\npossible that the calling kthread will be delayed between the calls to\\ntorture_create_kthread() and init_waitqueue_head(). In this case, the\\nnew kthread will use the waitqueue head before it is properly initialized,\\nwhich is not good for the kernel\u0027s health and well-being.\\n\\nThe above crash happened here:\\n\\n\\tstatic inline void __add_wait_queue(...)\\n\\t{\\n\\t\\t:\\n\\t\\tif (!(wq-\u003eflags \u0026 WQ_FLAG_PRIORITY)) \u003c=== Crash here\\n\\nThe offset of flags from list_head entry in wait_queue_entry is\\n-0x18. If reader_tasks[i].wq.head.next is NULL as allocated reader_task\\nstructure is zero initialized, the instruction will try to access address\\n0xffffffffffffffe8, which is exactly the fault address listed above.\\n\\nThis commit therefore invokes init_waitqueue_head() before creating\\nthe kthread.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/066fbd8bc981cf49923bf828b7b4092894df577f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/70a2856fd1d0a040c876ba9e3f89b949ae92e4dd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e0322a255a2242dbe4686b6176b3c83dea490529\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e5de968a9032366198720eac4f368ed7e690b3ef\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ec9d118ad99dc6f1bc674c1e649c25533d89b9ba\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f5063e8948dad7f31adb007284a5d5038ae31bb8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…