GHSA-V9CW-759Q-RVPJ

Vulnerability from github – Published: 2025-12-30 15:30 – Updated: 2025-12-30 15:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

bcache: fixup btree_cache_wait list damage

We get a kernel crash about "list_add corruption. next->prev should be prev (ffff9c801bc01210), but was ffff9c77b688237c. (next=ffffae586d8afe68)."

crash> struct list_head 0xffff9c801bc01210 struct list_head { next = 0xffffae586d8afe68, prev = 0xffffae586d8afe68 } crash> struct list_head 0xffff9c77b688237c struct list_head { next = 0x0, prev = 0x0 } crash> struct list_head 0xffffae586d8afe68 struct list_head struct: invalid kernel virtual address: ffffae586d8afe68 type: "gdb_readmem_callback" Cannot access memory at address 0xffffae586d8afe68

[230469.019492] Call Trace: [230469.032041] prepare_to_wait+0x8a/0xb0 [230469.044363] ? bch_btree_keys_free+0x6c/0xc0 [escache] [230469.056533] mca_cannibalize_lock+0x72/0x90 [escache] [230469.068788] mca_alloc+0x2ae/0x450 [escache] [230469.080790] bch_btree_node_get+0x136/0x2d0 [escache] [230469.092681] bch_btree_check_thread+0x1e1/0x260 [escache] [230469.104382] ? finish_wait+0x80/0x80 [230469.115884] ? bch_btree_check_recurse+0x1a0/0x1a0 [escache] [230469.127259] kthread+0x112/0x130 [230469.138448] ? kthread_flush_work_fn+0x10/0x10 [230469.149477] ret_from_fork+0x35/0x40

bch_btree_check_thread() and bch_dirty_init_thread() may call mca_cannibalize() to cannibalize other cached btree nodes. Only one thread can do it at a time, so the op of other threads will be added to the btree_cache_wait list.

We must call finish_wait() to remove op from btree_cache_wait before free it's memory address. Otherwise, the list will be damaged. Also should call bch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up other waiters.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-54293"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T13:16:18Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fixup btree_cache_wait list damage\n\nWe get a kernel crash about \"list_add corruption. next-\u003eprev should be\nprev (ffff9c801bc01210), but was ffff9c77b688237c.\n(next=ffffae586d8afe68).\"\n\ncrash\u003e struct list_head 0xffff9c801bc01210\nstruct list_head {\n  next = 0xffffae586d8afe68,\n  prev = 0xffffae586d8afe68\n}\ncrash\u003e struct list_head 0xffff9c77b688237c\nstruct list_head {\n  next = 0x0,\n  prev = 0x0\n}\ncrash\u003e struct list_head 0xffffae586d8afe68\nstruct list_head struct: invalid kernel virtual address: ffffae586d8afe68  type: \"gdb_readmem_callback\"\nCannot access memory at address 0xffffae586d8afe68\n\n[230469.019492] Call Trace:\n[230469.032041]  prepare_to_wait+0x8a/0xb0\n[230469.044363]  ? bch_btree_keys_free+0x6c/0xc0 [escache]\n[230469.056533]  mca_cannibalize_lock+0x72/0x90 [escache]\n[230469.068788]  mca_alloc+0x2ae/0x450 [escache]\n[230469.080790]  bch_btree_node_get+0x136/0x2d0 [escache]\n[230469.092681]  bch_btree_check_thread+0x1e1/0x260 [escache]\n[230469.104382]  ? finish_wait+0x80/0x80\n[230469.115884]  ? bch_btree_check_recurse+0x1a0/0x1a0 [escache]\n[230469.127259]  kthread+0x112/0x130\n[230469.138448]  ? kthread_flush_work_fn+0x10/0x10\n[230469.149477]  ret_from_fork+0x35/0x40\n\nbch_btree_check_thread() and bch_dirty_init_thread() may call\nmca_cannibalize() to cannibalize other cached btree nodes. Only one thread\ncan do it at a time, so the op of other threads will be added to the\nbtree_cache_wait list.\n\nWe must call finish_wait() to remove op from btree_cache_wait before free\nit\u0027s memory address. Otherwise, the list will be damaged. Also should call\nbch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up\nother waiters.",
  "id": "GHSA-v9cw-759q-rvpj",
  "modified": "2025-12-30T15:30:35Z",
  "published": "2025-12-30T15:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54293"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/25ec4779d0fb3ed9cac1e4d9e0e4261b4a12f6ed"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2882a4c4f0c90e99f37dbd8db369b9982fd613e7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bcb295778afda4f2feb0d3c0289a53fd43d5a3a6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cbdd5b3322f7bbe6454c97cac994757f1192c07b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f0854489fc07d2456f7cc71a63f4faf9c716ffbe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.