CVE-2023-54165 (GCVE-0-2023-54165)
Vulnerability from cvelistv5
Published
2025-12-30 12:08
Modified
2025-12-30 12:08
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: zsmalloc: move LRU update from zs_map_object() to zs_malloc() Under memory pressure, we sometimes observe the following crash: [ 5694.832838] ------------[ cut here ]------------ [ 5694.842093] list_del corruption, ffff888014b6a448->next is LIST_POISON1 (dead000000000100) [ 5694.858677] WARNING: CPU: 33 PID: 418824 at lib/list_debug.c:47 __list_del_entry_valid+0x42/0x80 [ 5694.961820] CPU: 33 PID: 418824 Comm: fuse_counters.s Kdump: loaded Tainted: G S 5.19.0-0_fbk3_rc3_hoangnhatpzsdynshrv41_10870_g85a9558a25de #1 [ 5694.990194] Hardware name: Wiwynn Twin Lakes MP/Twin Lakes Passive MP, BIOS YMM16 05/24/2021 [ 5695.007072] RIP: 0010:__list_del_entry_valid+0x42/0x80 [ 5695.017351] Code: 08 48 83 c2 22 48 39 d0 74 24 48 8b 10 48 39 f2 75 2c 48 8b 51 08 b0 01 48 39 f2 75 34 c3 48 c7 c7 55 d7 78 82 e8 4e 45 3b 00 <0f> 0b eb 31 48 c7 c7 27 a8 70 82 e8 3e 45 3b 00 0f 0b eb 21 48 c7 [ 5695.054919] RSP: 0018:ffffc90027aef4f0 EFLAGS: 00010246 [ 5695.065366] RAX: 41fe484987275300 RBX: ffff888008988180 RCX: 0000000000000000 [ 5695.079636] RDX: ffff88886006c280 RSI: ffff888860060480 RDI: ffff888860060480 [ 5695.093904] RBP: 0000000000000002 R08: 0000000000000000 R09: ffffc90027aef370 [ 5695.108175] R10: 0000000000000000 R11: ffffffff82fdf1c0 R12: 0000000010000002 [ 5695.122447] R13: ffff888014b6a448 R14: ffff888014b6a420 R15: 00000000138dc240 [ 5695.136717] FS: 00007f23a7d3f740(0000) GS:ffff888860040000(0000) knlGS:0000000000000000 [ 5695.152899] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5695.164388] CR2: 0000560ceaab6ac0 CR3: 000000001c06c001 CR4: 00000000007706e0 [ 5695.178659] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 5695.192927] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 5695.207197] PKRU: 55555554 [ 5695.212602] Call Trace: [ 5695.217486] <TASK> [ 5695.221674] zs_map_object+0x91/0x270 [ 5695.229000] zswap_frontswap_store+0x33d/0x870 [ 5695.237885] ? do_raw_spin_lock+0x5d/0xa0 [ 5695.245899] __frontswap_store+0x51/0xb0 [ 5695.253742] swap_writepage+0x3c/0x60 [ 5695.261063] shrink_page_list+0x738/0x1230 [ 5695.269255] shrink_lruvec+0x5ec/0xcd0 [ 5695.276749] ? shrink_slab+0x187/0x5f0 [ 5695.284240] ? mem_cgroup_iter+0x6e/0x120 [ 5695.292255] shrink_node+0x293/0x7b0 [ 5695.299402] do_try_to_free_pages+0xea/0x550 [ 5695.307940] try_to_free_pages+0x19a/0x490 [ 5695.316126] __folio_alloc+0x19ff/0x3e40 [ 5695.323971] ? __filemap_get_folio+0x8a/0x4e0 [ 5695.332681] ? walk_component+0x2a8/0xb50 [ 5695.340697] ? generic_permission+0xda/0x2a0 [ 5695.349231] ? __filemap_get_folio+0x8a/0x4e0 [ 5695.357940] ? walk_component+0x2a8/0xb50 [ 5695.365955] vma_alloc_folio+0x10e/0x570 [ 5695.373796] ? walk_component+0x52/0xb50 [ 5695.381634] wp_page_copy+0x38c/0xc10 [ 5695.388953] ? filename_lookup+0x378/0xbc0 [ 5695.397140] handle_mm_fault+0x87f/0x1800 [ 5695.405157] do_user_addr_fault+0x1bd/0x570 [ 5695.413520] exc_page_fault+0x5d/0x110 [ 5695.421017] asm_exc_page_fault+0x22/0x30 After some investigation, I have found the following issue: unlike other zswap backends, zsmalloc performs the LRU list update at the object mapping time, rather than when the slot for the object is allocated. This deviation was discussed and agreed upon during the review process of the zsmalloc writeback patch series: https://lore.kernel.org/lkml/Y3flcAXNxxrvy3ZH@cmpxchg.org/ Unfortunately, this introduces a subtle bug that occurs when there is a concurrent store and reclaim, which interleave as follows: zswap_frontswap_store() shrink_worker() zs_malloc() zs_zpool_shrink() spin_lock(&pool->lock) zs_reclaim_page() zspage = find_get_zspage() spin_unlock(&pool->lock) spin_lock(&pool->lock) zspage = list_first_entry(&pool->lru) ---truncated---
References
Impacted products
Vendor Product Version
Linux Linux Version: 64f768c6b32e1957e2b65b70e97cb4cb62344bc4
Version: 64f768c6b32e1957e2b65b70e97cb4cb62344bc4
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/zsmalloc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e95adf7486f2cb5f1bb303113ca30460951923e9",
              "status": "affected",
              "version": "64f768c6b32e1957e2b65b70e97cb4cb62344bc4",
              "versionType": "git"
            },
            {
              "lessThan": "d461aac924b937bcb4fd0ca1242b3ef6868ecddd",
              "status": "affected",
              "version": "64f768c6b32e1957e2b65b70e97cb4cb62344bc4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/zsmalloc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.3.*",
              "status": "unaffected",
              "version": "6.3.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3.5",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nzsmalloc: move LRU update from zs_map_object() to zs_malloc()\n\nUnder memory pressure, we sometimes observe the following crash:\n\n[ 5694.832838] ------------[ cut here ]------------\n[ 5694.842093] list_del corruption, ffff888014b6a448-\u003enext is LIST_POISON1 (dead000000000100)\n[ 5694.858677] WARNING: CPU: 33 PID: 418824 at lib/list_debug.c:47 __list_del_entry_valid+0x42/0x80\n[ 5694.961820] CPU: 33 PID: 418824 Comm: fuse_counters.s Kdump: loaded Tainted: G S                5.19.0-0_fbk3_rc3_hoangnhatpzsdynshrv41_10870_g85a9558a25de #1\n[ 5694.990194] Hardware name: Wiwynn Twin Lakes MP/Twin Lakes Passive MP, BIOS YMM16 05/24/2021\n[ 5695.007072] RIP: 0010:__list_del_entry_valid+0x42/0x80\n[ 5695.017351] Code: 08 48 83 c2 22 48 39 d0 74 24 48 8b 10 48 39 f2 75 2c 48 8b 51 08 b0 01 48 39 f2 75 34 c3 48 c7 c7 55 d7 78 82 e8 4e 45 3b 00 \u003c0f\u003e 0b eb 31 48 c7 c7 27 a8 70 82 e8 3e 45 3b 00 0f 0b eb 21 48 c7\n[ 5695.054919] RSP: 0018:ffffc90027aef4f0 EFLAGS: 00010246\n[ 5695.065366] RAX: 41fe484987275300 RBX: ffff888008988180 RCX: 0000000000000000\n[ 5695.079636] RDX: ffff88886006c280 RSI: ffff888860060480 RDI: ffff888860060480\n[ 5695.093904] RBP: 0000000000000002 R08: 0000000000000000 R09: ffffc90027aef370\n[ 5695.108175] R10: 0000000000000000 R11: ffffffff82fdf1c0 R12: 0000000010000002\n[ 5695.122447] R13: ffff888014b6a448 R14: ffff888014b6a420 R15: 00000000138dc240\n[ 5695.136717] FS:  00007f23a7d3f740(0000) GS:ffff888860040000(0000) knlGS:0000000000000000\n[ 5695.152899] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 5695.164388] CR2: 0000560ceaab6ac0 CR3: 000000001c06c001 CR4: 00000000007706e0\n[ 5695.178659] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 5695.192927] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 5695.207197] PKRU: 55555554\n[ 5695.212602] Call Trace:\n[ 5695.217486]  \u003cTASK\u003e\n[ 5695.221674]  zs_map_object+0x91/0x270\n[ 5695.229000]  zswap_frontswap_store+0x33d/0x870\n[ 5695.237885]  ? do_raw_spin_lock+0x5d/0xa0\n[ 5695.245899]  __frontswap_store+0x51/0xb0\n[ 5695.253742]  swap_writepage+0x3c/0x60\n[ 5695.261063]  shrink_page_list+0x738/0x1230\n[ 5695.269255]  shrink_lruvec+0x5ec/0xcd0\n[ 5695.276749]  ? shrink_slab+0x187/0x5f0\n[ 5695.284240]  ? mem_cgroup_iter+0x6e/0x120\n[ 5695.292255]  shrink_node+0x293/0x7b0\n[ 5695.299402]  do_try_to_free_pages+0xea/0x550\n[ 5695.307940]  try_to_free_pages+0x19a/0x490\n[ 5695.316126]  __folio_alloc+0x19ff/0x3e40\n[ 5695.323971]  ? __filemap_get_folio+0x8a/0x4e0\n[ 5695.332681]  ? walk_component+0x2a8/0xb50\n[ 5695.340697]  ? generic_permission+0xda/0x2a0\n[ 5695.349231]  ? __filemap_get_folio+0x8a/0x4e0\n[ 5695.357940]  ? walk_component+0x2a8/0xb50\n[ 5695.365955]  vma_alloc_folio+0x10e/0x570\n[ 5695.373796]  ? walk_component+0x52/0xb50\n[ 5695.381634]  wp_page_copy+0x38c/0xc10\n[ 5695.388953]  ? filename_lookup+0x378/0xbc0\n[ 5695.397140]  handle_mm_fault+0x87f/0x1800\n[ 5695.405157]  do_user_addr_fault+0x1bd/0x570\n[ 5695.413520]  exc_page_fault+0x5d/0x110\n[ 5695.421017]  asm_exc_page_fault+0x22/0x30\n\nAfter some investigation, I have found the following issue: unlike other\nzswap backends, zsmalloc performs the LRU list update at the object\nmapping time, rather than when the slot for the object is allocated.\nThis deviation was discussed and agreed upon during the review process\nof the zsmalloc writeback patch series:\n\nhttps://lore.kernel.org/lkml/Y3flcAXNxxrvy3ZH@cmpxchg.org/\n\nUnfortunately, this introduces a subtle bug that occurs when there is a\nconcurrent store and reclaim, which interleave as follows:\n\nzswap_frontswap_store()            shrink_worker()\n  zs_malloc()                        zs_zpool_shrink()\n    spin_lock(\u0026pool-\u003elock)             zs_reclaim_page()\n    zspage = find_get_zspage()\n    spin_unlock(\u0026pool-\u003elock)\n                                         spin_lock(\u0026pool-\u003elock)\n                                         zspage = list_first_entry(\u0026pool-\u003elru)\n                  \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:08:41.019Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e95adf7486f2cb5f1bb303113ca30460951923e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/d461aac924b937bcb4fd0ca1242b3ef6868ecddd"
        }
      ],
      "title": "zsmalloc: move LRU update from zs_map_object() to zs_malloc()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54165",
    "datePublished": "2025-12-30T12:08:41.019Z",
    "dateReserved": "2025-12-30T12:06:44.495Z",
    "dateUpdated": "2025-12-30T12:08:41.019Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-54165\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:16:04.283\",\"lastModified\":\"2025-12-30T13:16:04.283\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nzsmalloc: move LRU update from zs_map_object() to zs_malloc()\\n\\nUnder memory pressure, we sometimes observe the following crash:\\n\\n[ 5694.832838] ------------[ cut here ]------------\\n[ 5694.842093] list_del corruption, ffff888014b6a448-\u003enext is LIST_POISON1 (dead000000000100)\\n[ 5694.858677] WARNING: CPU: 33 PID: 418824 at lib/list_debug.c:47 __list_del_entry_valid+0x42/0x80\\n[ 5694.961820] CPU: 33 PID: 418824 Comm: fuse_counters.s Kdump: loaded Tainted: G S                5.19.0-0_fbk3_rc3_hoangnhatpzsdynshrv41_10870_g85a9558a25de #1\\n[ 5694.990194] Hardware name: Wiwynn Twin Lakes MP/Twin Lakes Passive MP, BIOS YMM16 05/24/2021\\n[ 5695.007072] RIP: 0010:__list_del_entry_valid+0x42/0x80\\n[ 5695.017351] Code: 08 48 83 c2 22 48 39 d0 74 24 48 8b 10 48 39 f2 75 2c 48 8b 51 08 b0 01 48 39 f2 75 34 c3 48 c7 c7 55 d7 78 82 e8 4e 45 3b 00 \u003c0f\u003e 0b eb 31 48 c7 c7 27 a8 70 82 e8 3e 45 3b 00 0f 0b eb 21 48 c7\\n[ 5695.054919] RSP: 0018:ffffc90027aef4f0 EFLAGS: 00010246\\n[ 5695.065366] RAX: 41fe484987275300 RBX: ffff888008988180 RCX: 0000000000000000\\n[ 5695.079636] RDX: ffff88886006c280 RSI: ffff888860060480 RDI: ffff888860060480\\n[ 5695.093904] RBP: 0000000000000002 R08: 0000000000000000 R09: ffffc90027aef370\\n[ 5695.108175] R10: 0000000000000000 R11: ffffffff82fdf1c0 R12: 0000000010000002\\n[ 5695.122447] R13: ffff888014b6a448 R14: ffff888014b6a420 R15: 00000000138dc240\\n[ 5695.136717] FS:  00007f23a7d3f740(0000) GS:ffff888860040000(0000) knlGS:0000000000000000\\n[ 5695.152899] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 5695.164388] CR2: 0000560ceaab6ac0 CR3: 000000001c06c001 CR4: 00000000007706e0\\n[ 5695.178659] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 5695.192927] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 5695.207197] PKRU: 55555554\\n[ 5695.212602] Call Trace:\\n[ 5695.217486]  \u003cTASK\u003e\\n[ 5695.221674]  zs_map_object+0x91/0x270\\n[ 5695.229000]  zswap_frontswap_store+0x33d/0x870\\n[ 5695.237885]  ? do_raw_spin_lock+0x5d/0xa0\\n[ 5695.245899]  __frontswap_store+0x51/0xb0\\n[ 5695.253742]  swap_writepage+0x3c/0x60\\n[ 5695.261063]  shrink_page_list+0x738/0x1230\\n[ 5695.269255]  shrink_lruvec+0x5ec/0xcd0\\n[ 5695.276749]  ? shrink_slab+0x187/0x5f0\\n[ 5695.284240]  ? mem_cgroup_iter+0x6e/0x120\\n[ 5695.292255]  shrink_node+0x293/0x7b0\\n[ 5695.299402]  do_try_to_free_pages+0xea/0x550\\n[ 5695.307940]  try_to_free_pages+0x19a/0x490\\n[ 5695.316126]  __folio_alloc+0x19ff/0x3e40\\n[ 5695.323971]  ? __filemap_get_folio+0x8a/0x4e0\\n[ 5695.332681]  ? walk_component+0x2a8/0xb50\\n[ 5695.340697]  ? generic_permission+0xda/0x2a0\\n[ 5695.349231]  ? __filemap_get_folio+0x8a/0x4e0\\n[ 5695.357940]  ? walk_component+0x2a8/0xb50\\n[ 5695.365955]  vma_alloc_folio+0x10e/0x570\\n[ 5695.373796]  ? walk_component+0x52/0xb50\\n[ 5695.381634]  wp_page_copy+0x38c/0xc10\\n[ 5695.388953]  ? filename_lookup+0x378/0xbc0\\n[ 5695.397140]  handle_mm_fault+0x87f/0x1800\\n[ 5695.405157]  do_user_addr_fault+0x1bd/0x570\\n[ 5695.413520]  exc_page_fault+0x5d/0x110\\n[ 5695.421017]  asm_exc_page_fault+0x22/0x30\\n\\nAfter some investigation, I have found the following issue: unlike other\\nzswap backends, zsmalloc performs the LRU list update at the object\\nmapping time, rather than when the slot for the object is allocated.\\nThis deviation was discussed and agreed upon during the review process\\nof the zsmalloc writeback patch series:\\n\\nhttps://lore.kernel.org/lkml/Y3flcAXNxxrvy3ZH@cmpxchg.org/\\n\\nUnfortunately, this introduces a subtle bug that occurs when there is a\\nconcurrent store and reclaim, which interleave as follows:\\n\\nzswap_frontswap_store()            shrink_worker()\\n  zs_malloc()                        zs_zpool_shrink()\\n    spin_lock(\u0026pool-\u003elock)             zs_reclaim_page()\\n    zspage = find_get_zspage()\\n    spin_unlock(\u0026pool-\u003elock)\\n                                         spin_lock(\u0026pool-\u003elock)\\n                                         zspage = list_first_entry(\u0026pool-\u003elru)\\n                  \\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/d461aac924b937bcb4fd0ca1242b3ef6868ecddd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e95adf7486f2cb5f1bb303113ca30460951923e9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.