ghsa-2fjh-g9hr-2x3g
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
refscale: Fix uninitalized use of wait_queue_head_t
Running the refscale test occasionally crashes the kernel with the following error:
[ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8 [ 8569.952900] #PF: supervisor read access in kernel mode [ 8569.952902] #PF: error_code(0x0000) - not-present page [ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0 [ 8569.952910] Oops: 0000 [#1] PREEMPT_RT SMP NOPTI [ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021 [ 8569.952917] RIP: 0010:prepare_to_wait_event+0x101/0x190 : [ 8569.952940] Call Trace: [ 8569.952941] [ 8569.952944] ref_scale_reader+0x380/0x4a0 [refscale] [ 8569.952959] kthread+0x10e/0x130 [ 8569.952966] ret_from_fork+0x1f/0x30 [ 8569.952973]
The likely cause is that init_waitqueue_head() is called after the call to the torture_create_kthread() function that creates the ref_scale_reader kthread. Although this init_waitqueue_head() call will very likely complete before this kthread is created and starts running, it is possible that the calling kthread will be delayed between the calls to torture_create_kthread() and init_waitqueue_head(). In this case, the new kthread will use the waitqueue head before it is properly initialized, which is not good for the kernel's health and well-being.
The above crash happened here:
static inline void __add_wait_queue(...)
{
:
if (!(wq->flags & WQ_FLAG_PRIORITY)) <=== Crash here
The offset of flags from list_head entry in wait_queue_entry is -0x18. If reader_tasks[i].wq.head.next is NULL as allocated reader_task structure is zero initialized, the instruction will try to access address 0xffffffffffffffe8, which is exactly the fault address listed above.
This commit therefore invokes init_waitqueue_head() before creating the kthread.
{
"affected": [],
"aliases": [
"CVE-2023-54316"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-30T13:16:20Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrefscale: Fix uninitalized use of wait_queue_head_t\n\nRunning the refscale test occasionally crashes the kernel with the\nfollowing error:\n\n[ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8\n[ 8569.952900] #PF: supervisor read access in kernel mode\n[ 8569.952902] #PF: error_code(0x0000) - not-present page\n[ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0\n[ 8569.952910] Oops: 0000 [#1] PREEMPT_RT SMP NOPTI\n[ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021\n[ 8569.952917] RIP: 0010:prepare_to_wait_event+0x101/0x190\n :\n[ 8569.952940] Call Trace:\n[ 8569.952941] \u003cTASK\u003e\n[ 8569.952944] ref_scale_reader+0x380/0x4a0 [refscale]\n[ 8569.952959] kthread+0x10e/0x130\n[ 8569.952966] ret_from_fork+0x1f/0x30\n[ 8569.952973] \u003c/TASK\u003e\n\nThe likely cause is that init_waitqueue_head() is called after the call to\nthe torture_create_kthread() function that creates the ref_scale_reader\nkthread. Although this init_waitqueue_head() call will very likely\ncomplete before this kthread is created and starts running, it is\npossible that the calling kthread will be delayed between the calls to\ntorture_create_kthread() and init_waitqueue_head(). In this case, the\nnew kthread will use the waitqueue head before it is properly initialized,\nwhich is not good for the kernel\u0027s health and well-being.\n\nThe above crash happened here:\n\n\tstatic inline void __add_wait_queue(...)\n\t{\n\t\t:\n\t\tif (!(wq-\u003eflags \u0026 WQ_FLAG_PRIORITY)) \u003c=== Crash here\n\nThe offset of flags from list_head entry in wait_queue_entry is\n-0x18. If reader_tasks[i].wq.head.next is NULL as allocated reader_task\nstructure is zero initialized, the instruction will try to access address\n0xffffffffffffffe8, which is exactly the fault address listed above.\n\nThis commit therefore invokes init_waitqueue_head() before creating\nthe kthread.",
"id": "GHSA-2fjh-g9hr-2x3g",
"modified": "2025-12-30T15:30:36Z",
"published": "2025-12-30T15:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54316"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/066fbd8bc981cf49923bf828b7b4092894df577f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/70a2856fd1d0a040c876ba9e3f89b949ae92e4dd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e0322a255a2242dbe4686b6176b3c83dea490529"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e5de968a9032366198720eac4f368ed7e690b3ef"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ec9d118ad99dc6f1bc674c1e649c25533d89b9ba"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f5063e8948dad7f31adb007284a5d5038ae31bb8"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.