CVE-2023-54293
Unknown Unknown - Not Provided
Use-After-Free Vulnerability in Linux bcache Causes Kernel Crash

Publication date: 2025-12-30

Last updated on: 2025-12-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bcache: fixup btree_cache_wait list damage We get a kernel crash about "list_add corruption. next->prev should be prev (ffff9c801bc01210), but was ffff9c77b688237c. (next=ffffae586d8afe68)." crash> struct list_head 0xffff9c801bc01210 struct list_head { next = 0xffffae586d8afe68, prev = 0xffffae586d8afe68 } crash> struct list_head 0xffff9c77b688237c struct list_head { next = 0x0, prev = 0x0 } crash> struct list_head 0xffffae586d8afe68 struct list_head struct: invalid kernel virtual address: ffffae586d8afe68 type: "gdb_readmem_callback" Cannot access memory at address 0xffffae586d8afe68 [230469.019492] Call Trace: [230469.032041] prepare_to_wait+0x8a/0xb0 [230469.044363] ? bch_btree_keys_free+0x6c/0xc0 [escache] [230469.056533] mca_cannibalize_lock+0x72/0x90 [escache] [230469.068788] mca_alloc+0x2ae/0x450 [escache] [230469.080790] bch_btree_node_get+0x136/0x2d0 [escache] [230469.092681] bch_btree_check_thread+0x1e1/0x260 [escache] [230469.104382] ? finish_wait+0x80/0x80 [230469.115884] ? bch_btree_check_recurse+0x1a0/0x1a0 [escache] [230469.127259] kthread+0x112/0x130 [230469.138448] ? kthread_flush_work_fn+0x10/0x10 [230469.149477] ret_from_fork+0x35/0x40 bch_btree_check_thread() and bch_dirty_init_thread() may call mca_cannibalize() to cannibalize other cached btree nodes. Only one thread can do it at a time, so the op of other threads will be added to the btree_cache_wait list. We must call finish_wait() to remove op from btree_cache_wait before free it's memory address. Otherwise, the list will be damaged. Also should call bch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up other waiters.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2025-12-30
Generated
2026-05-07
AI Q&A
2025-12-30
EPSS Evaluated
2026-05-05
NVD
CVE-2023-54293
EUVD
EUVD-2023-60511
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a flaw in the Linux kernel's bcache subsystem related to the management of a linked list called btree_cache_wait. When multiple threads attempt to cannibalize cached btree nodes, only one thread can do so at a time, and others are added to this wait list. The issue occurs because the code fails to properly remove an operation from the btree_cache_wait list before freeing its memory, which damages the list structure and leads to kernel crashes due to list corruption.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash due to corruption of the btree_cache_wait linked list. Kernel crashes can lead to system instability, unexpected reboots, potential data loss, and denial of service conditions on affected systems.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring kernel crash logs for messages related to 'list_add corruption' and invalid memory addresses in the bcache subsystem. Specifically, look for kernel log entries similar to 'list_add corruption. next->prev should be prev' and call traces involving bch_btree_check_thread, mca_cannibalize_lock, and related functions. Commands such as 'dmesg | grep -i "list_add corruption"' or 'journalctl -k | grep -i bcache' can help identify these crash signatures.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves updating the Linux kernel to a version where the bcache fix has been applied. The fix ensures that finish_wait() is called to properly remove operations from the btree_cache_wait list before freeing memory, and that bch_cannibalize_unlock() is called to release locks and wake up waiters, preventing list corruption and kernel crashes.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart