{
  "threat_severity" : "Low",
  "public_date" : "2025-12-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: refscale: Fix uninitalized use of wait_queue_head_t",
    "id" : "2426135",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426135"
  },
  "cvss3" : {
    "cvss3_base_score" : "2.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-908",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nrefscale: Fix uninitalized use of wait_queue_head_t\nRunning the refscale test occasionally crashes the kernel with the\nfollowing error:\n[ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8\n[ 8569.952900] #PF: supervisor read access in kernel mode\n[ 8569.952902] #PF: error_code(0x0000) - not-present page\n[ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0\n[ 8569.952910] Oops: 0000 [#1] PREEMPT_RT SMP NOPTI\n[ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021\n[ 8569.952917] RIP: 0010:prepare_to_wait_event+0x101/0x190\n:\n[ 8569.952940] Call Trace:\n[ 8569.952941]  <TASK>\n[ 8569.952944]  ref_scale_reader+0x380/0x4a0 [refscale]\n[ 8569.952959]  kthread+0x10e/0x130\n[ 8569.952966]  ret_from_fork+0x1f/0x30\n[ 8569.952973]  </TASK>\nThe likely cause is that init_waitqueue_head() is called after the call to\nthe torture_create_kthread() function that creates the ref_scale_reader\nkthread.  Although this init_waitqueue_head() call will very likely\ncomplete before this kthread is created and starts running, it is\npossible that the calling kthread will be delayed between the calls to\ntorture_create_kthread() and init_waitqueue_head().  In this case, the\nnew kthread will use the waitqueue head before it is properly initialized,\nwhich is not good for the kernel's health and well-being.\nThe above crash happened here:\nstatic inline void __add_wait_queue(...)\n{\n:\nif (!(wq->flags & WQ_FLAG_PRIORITY)) <=== Crash here\nThe offset of flags from list_head entry in wait_queue_entry is\n-0x18. If reader_tasks[i].wq.head.next is NULL as allocated reader_task\nstructure is zero initialized, the instruction will try to access address\n0xffffffffffffffe8, which is exactly the fault address listed above.\nThis commit therefore invokes init_waitqueue_head() before creating\nthe kthread.", "A use of uninitialized data was found in the refscale test module. The wait_queue_head_t is used before being initialized, causing a race condition that can crash the kernel during testing." ],
  "statement" : "This affects only the refscale test/benchmark module, which is not loaded in production systems. The crash is a race condition in test initialization code used for RCU performance analysis.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54316\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54316\nhttps://lore.kernel.org/linux-cve-announce/2025123037-CVE-2023-54316-f3c8@gregkh/T" ],
  "name" : "CVE-2023-54316",
  "csaw" : false
}