DEBIAN-CVE-2023-54316
- Source
- https://security-tracker.debian.org/tracker/CVE-2023-54316
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-54316.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2023-54316
- Upstream
- Published
- 2025-12-30T13:16:20.867Z
- Modified
- 2026-03-11T07:36:31.770395Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: refscale: Fix uninitalized use of waitqueueheadt Running the refscale test occasionally crashes the kernel with the following error: [ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8 [ 8569.952900] #PF: supervisor read access in kernel mode [ 8569.952902] #PF: errorcode(0x0000) - not-present page [ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0 [ 8569.952910] Oops: 0000 [#1] PREEMPTRT SMP NOPTI [ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021 [ 8569.952917] RIP: 0010:preparetowaitevent+0x101/0x190 : [ 8569.952940] Call Trace: [ 8569.952941] <TASK> [ 8569.952944] refscalereader+0x380/0x4a0 [refscale] [ 8569.952959] kthread+0x10e/0x130 [ 8569.952966] retfromfork+0x1f/0x30 [ 8569.952973] </TASK> The likely cause is that initwaitqueuehead() is called after the call to the torturecreatekthread() function that creates the refscalereader kthread. Although this initwaitqueuehead() call will very likely complete before this kthread is created and starts running, it is possible that the calling kthread will be delayed between the calls to torturecreatekthread() and initwaitqueuehead(). In this case, the new kthread will use the waitqueue head before it is properly initialized, which is not good for the kernel's health and well-being. The above crash happened here: static inline void _addwaitqueue(...) { : if (!(wq->flags & WQFLAGPRIORITY)) <=== Crash here The offset of flags from listhead entry in waitqueueentry is -0x18. If readertasks[i].wq.head.next is NULL as allocated readertask structure is zero initialized, the instruction will try to access address 0xffffffffffffffe8, which is exactly the fault address listed above. This commit therefore invokes initwaitqueuehead() before creating the kthread.
- References
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.10.197-1
Affected versions
5.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.55-1
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source