CVE-2023-54113 (GCVE-0-2023-54113)
Vulnerability from cvelistv5
Published
2025-12-24 13:06
Modified
2025-12-24 13:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rcu: dump vmalloc memory info safely
Currently, for double invoke call_rcu(), will dump rcu_head objects memory
info, if the objects is not allocated from the slab allocator, the
vmalloc_dump_obj() will be invoke and the vmap_area_lock spinlock need to
be held, since the call_rcu() can be invoked in interrupt context,
therefore, there is a possibility of spinlock deadlock scenarios.
And in Preempt-RT kernel, the rcutorture test also trigger the following
lockdep warning:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0
preempt_count: 1, expected: 0
RCU nest depth: 1, expected: 1
3 locks held by swapper/0/1:
#0: ffffffffb534ee80 (fullstop_mutex){+.+.}-{4:4}, at: torture_init_begin+0x24/0xa0
#1: ffffffffb5307940 (rcu_read_lock){....}-{1:3}, at: rcu_torture_init+0x1ec7/0x2370
#2: ffffffffb536af40 (vmap_area_lock){+.+.}-{3:3}, at: find_vmap_area+0x1f/0x70
irq event stamp: 565512
hardirqs last enabled at (565511): [<ffffffffb379b138>] __call_rcu_common+0x218/0x940
hardirqs last disabled at (565512): [<ffffffffb5804262>] rcu_torture_init+0x20b2/0x2370
softirqs last enabled at (399112): [<ffffffffb36b2586>] __local_bh_enable_ip+0x126/0x170
softirqs last disabled at (399106): [<ffffffffb43fef59>] inet_register_protosw+0x9/0x1d0
Preemption disabled at:
[<ffffffffb58040c3>] rcu_torture_init+0x1f13/0x2370
CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.5.0-rc4-rt2-yocto-preempt-rt+ #15
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x68/0xb0
dump_stack+0x14/0x20
__might_resched+0x1aa/0x280
? __pfx_rcu_torture_err_cb+0x10/0x10
rt_spin_lock+0x53/0x130
? find_vmap_area+0x1f/0x70
find_vmap_area+0x1f/0x70
vmalloc_dump_obj+0x20/0x60
mem_dump_obj+0x22/0x90
__call_rcu_common+0x5bf/0x940
? debug_smp_processor_id+0x1b/0x30
call_rcu_hurry+0x14/0x20
rcu_torture_init+0x1f82/0x2370
? __pfx_rcu_torture_leak_cb+0x10/0x10
? __pfx_rcu_torture_leak_cb+0x10/0x10
? __pfx_rcu_torture_init+0x10/0x10
do_one_initcall+0x6c/0x300
? debug_smp_processor_id+0x1b/0x30
kernel_init_freeable+0x2b9/0x540
? __pfx_kernel_init+0x10/0x10
kernel_init+0x1f/0x150
ret_from_fork+0x40/0x50
? __pfx_kernel_init+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
The previous patch fixes this by using the deadlock-safe best-effort
version of find_vm_area. However, in case of failure print the fact that
the pointer was a vmalloc pointer so that we print at least something.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a22f9c17b1aa2a35b5eedee928f7841595b55cd",
"status": "affected",
"version": "98f180837a896ecedf8f7e12af22b57f271d43c9",
"versionType": "git"
},
{
"lessThan": "3f7a4e88e40e38c0b16a4bcb599b7b1d8c81440d",
"status": "affected",
"version": "98f180837a896ecedf8f7e12af22b57f271d43c9",
"versionType": "git"
},
{
"lessThan": "dddca4c46ec92f83449bc91dd199f46a89e066be",
"status": "affected",
"version": "98f180837a896ecedf8f7e12af22b57f271d43c9",
"versionType": "git"
},
{
"lessThan": "8fb1601ec0a2c4c34fc2170af767e5c2a6400573",
"status": "affected",
"version": "98f180837a896ecedf8f7e12af22b57f271d43c9",
"versionType": "git"
},
{
"lessThan": "c83ad36a18c02c0f51280b50272327807916987f",
"status": "affected",
"version": "98f180837a896ecedf8f7e12af22b57f271d43c9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: dump vmalloc memory info safely\n\nCurrently, for double invoke call_rcu(), will dump rcu_head objects memory\ninfo, if the objects is not allocated from the slab allocator, the\nvmalloc_dump_obj() will be invoke and the vmap_area_lock spinlock need to\nbe held, since the call_rcu() can be invoked in interrupt context,\ntherefore, there is a possibility of spinlock deadlock scenarios.\n\nAnd in Preempt-RT kernel, the rcutorture test also trigger the following\nlockdep warning:\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0\npreempt_count: 1, expected: 0\nRCU nest depth: 1, expected: 1\n3 locks held by swapper/0/1:\n #0: ffffffffb534ee80 (fullstop_mutex){+.+.}-{4:4}, at: torture_init_begin+0x24/0xa0\n #1: ffffffffb5307940 (rcu_read_lock){....}-{1:3}, at: rcu_torture_init+0x1ec7/0x2370\n #2: ffffffffb536af40 (vmap_area_lock){+.+.}-{3:3}, at: find_vmap_area+0x1f/0x70\nirq event stamp: 565512\nhardirqs last enabled at (565511): [\u003cffffffffb379b138\u003e] __call_rcu_common+0x218/0x940\nhardirqs last disabled at (565512): [\u003cffffffffb5804262\u003e] rcu_torture_init+0x20b2/0x2370\nsoftirqs last enabled at (399112): [\u003cffffffffb36b2586\u003e] __local_bh_enable_ip+0x126/0x170\nsoftirqs last disabled at (399106): [\u003cffffffffb43fef59\u003e] inet_register_protosw+0x9/0x1d0\nPreemption disabled at:\n[\u003cffffffffb58040c3\u003e] rcu_torture_init+0x1f13/0x2370\nCPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.5.0-rc4-rt2-yocto-preempt-rt+ #15\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x68/0xb0\n dump_stack+0x14/0x20\n __might_resched+0x1aa/0x280\n ? __pfx_rcu_torture_err_cb+0x10/0x10\n rt_spin_lock+0x53/0x130\n ? find_vmap_area+0x1f/0x70\n find_vmap_area+0x1f/0x70\n vmalloc_dump_obj+0x20/0x60\n mem_dump_obj+0x22/0x90\n __call_rcu_common+0x5bf/0x940\n ? debug_smp_processor_id+0x1b/0x30\n call_rcu_hurry+0x14/0x20\n rcu_torture_init+0x1f82/0x2370\n ? __pfx_rcu_torture_leak_cb+0x10/0x10\n ? __pfx_rcu_torture_leak_cb+0x10/0x10\n ? __pfx_rcu_torture_init+0x10/0x10\n do_one_initcall+0x6c/0x300\n ? debug_smp_processor_id+0x1b/0x30\n kernel_init_freeable+0x2b9/0x540\n ? __pfx_kernel_init+0x10/0x10\n kernel_init+0x1f/0x150\n ret_from_fork+0x40/0x50\n ? __pfx_kernel_init+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \u003c/TASK\u003e\n\nThe previous patch fixes this by using the deadlock-safe best-effort\nversion of find_vm_area. However, in case of failure print the fact that\nthe pointer was a vmalloc pointer so that we print at least something."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:35.514Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a22f9c17b1aa2a35b5eedee928f7841595b55cd"
},
{
"url": "https://git.kernel.org/stable/c/3f7a4e88e40e38c0b16a4bcb599b7b1d8c81440d"
},
{
"url": "https://git.kernel.org/stable/c/dddca4c46ec92f83449bc91dd199f46a89e066be"
},
{
"url": "https://git.kernel.org/stable/c/8fb1601ec0a2c4c34fc2170af767e5c2a6400573"
},
{
"url": "https://git.kernel.org/stable/c/c83ad36a18c02c0f51280b50272327807916987f"
}
],
"title": "rcu: dump vmalloc memory info safely",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54113",
"datePublished": "2025-12-24T13:06:35.514Z",
"dateReserved": "2025-12-24T13:02:52.519Z",
"dateUpdated": "2025-12-24T13:06:35.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-54113\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T13:16:13.213\",\"lastModified\":\"2025-12-24T13:16:13.213\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrcu: dump vmalloc memory info safely\\n\\nCurrently, for double invoke call_rcu(), will dump rcu_head objects memory\\ninfo, if the objects is not allocated from the slab allocator, the\\nvmalloc_dump_obj() will be invoke and the vmap_area_lock spinlock need to\\nbe held, since the call_rcu() can be invoked in interrupt context,\\ntherefore, there is a possibility of spinlock deadlock scenarios.\\n\\nAnd in Preempt-RT kernel, the rcutorture test also trigger the following\\nlockdep warning:\\n\\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0\\npreempt_count: 1, expected: 0\\nRCU nest depth: 1, expected: 1\\n3 locks held by swapper/0/1:\\n #0: ffffffffb534ee80 (fullstop_mutex){+.+.}-{4:4}, at: torture_init_begin+0x24/0xa0\\n #1: ffffffffb5307940 (rcu_read_lock){....}-{1:3}, at: rcu_torture_init+0x1ec7/0x2370\\n #2: ffffffffb536af40 (vmap_area_lock){+.+.}-{3:3}, at: find_vmap_area+0x1f/0x70\\nirq event stamp: 565512\\nhardirqs last enabled at (565511): [\u003cffffffffb379b138\u003e] __call_rcu_common+0x218/0x940\\nhardirqs last disabled at (565512): [\u003cffffffffb5804262\u003e] rcu_torture_init+0x20b2/0x2370\\nsoftirqs last enabled at (399112): [\u003cffffffffb36b2586\u003e] __local_bh_enable_ip+0x126/0x170\\nsoftirqs last disabled at (399106): [\u003cffffffffb43fef59\u003e] inet_register_protosw+0x9/0x1d0\\nPreemption disabled at:\\n[\u003cffffffffb58040c3\u003e] rcu_torture_init+0x1f13/0x2370\\nCPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.5.0-rc4-rt2-yocto-preempt-rt+ #15\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\\nCall Trace:\\n \u003cTASK\u003e\\n dump_stack_lvl+0x68/0xb0\\n dump_stack+0x14/0x20\\n __might_resched+0x1aa/0x280\\n ? __pfx_rcu_torture_err_cb+0x10/0x10\\n rt_spin_lock+0x53/0x130\\n ? find_vmap_area+0x1f/0x70\\n find_vmap_area+0x1f/0x70\\n vmalloc_dump_obj+0x20/0x60\\n mem_dump_obj+0x22/0x90\\n __call_rcu_common+0x5bf/0x940\\n ? debug_smp_processor_id+0x1b/0x30\\n call_rcu_hurry+0x14/0x20\\n rcu_torture_init+0x1f82/0x2370\\n ? __pfx_rcu_torture_leak_cb+0x10/0x10\\n ? __pfx_rcu_torture_leak_cb+0x10/0x10\\n ? __pfx_rcu_torture_init+0x10/0x10\\n do_one_initcall+0x6c/0x300\\n ? debug_smp_processor_id+0x1b/0x30\\n kernel_init_freeable+0x2b9/0x540\\n ? __pfx_kernel_init+0x10/0x10\\n kernel_init+0x1f/0x150\\n ret_from_fork+0x40/0x50\\n ? __pfx_kernel_init+0x10/0x10\\n ret_from_fork_asm+0x1b/0x30\\n \u003c/TASK\u003e\\n\\nThe previous patch fixes this by using the deadlock-safe best-effort\\nversion of find_vm_area. However, in case of failure print the fact that\\nthe pointer was a vmalloc pointer so that we print at least something.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0a22f9c17b1aa2a35b5eedee928f7841595b55cd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3f7a4e88e40e38c0b16a4bcb599b7b1d8c81440d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8fb1601ec0a2c4c34fc2170af767e5c2a6400573\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c83ad36a18c02c0f51280b50272327807916987f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dddca4c46ec92f83449bc91dd199f46a89e066be\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…