{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-54293","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-30T12:06:44.527Z","datePublished":"2025-12-30T12:23:31.111Z","dateUpdated":"2026-05-11T19:59:09.658Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:59:09.658Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fixup btree_cache_wait list damage\n\nWe get a kernel crash about \"list_add corruption. next->prev should be\nprev (ffff9c801bc01210), but was ffff9c77b688237c.\n(next=ffffae586d8afe68).\"\n\ncrash> struct list_head 0xffff9c801bc01210\nstruct list_head {\n  next = 0xffffae586d8afe68,\n  prev = 0xffffae586d8afe68\n}\ncrash> struct list_head 0xffff9c77b688237c\nstruct list_head {\n  next = 0x0,\n  prev = 0x0\n}\ncrash> struct list_head 0xffffae586d8afe68\nstruct list_head struct: invalid kernel virtual address: ffffae586d8afe68  type: \"gdb_readmem_callback\"\nCannot access memory at address 0xffffae586d8afe68\n\n[230469.019492] Call Trace:\n[230469.032041]  prepare_to_wait+0x8a/0xb0\n[230469.044363]  ? bch_btree_keys_free+0x6c/0xc0 [escache]\n[230469.056533]  mca_cannibalize_lock+0x72/0x90 [escache]\n[230469.068788]  mca_alloc+0x2ae/0x450 [escache]\n[230469.080790]  bch_btree_node_get+0x136/0x2d0 [escache]\n[230469.092681]  bch_btree_check_thread+0x1e1/0x260 [escache]\n[230469.104382]  ? finish_wait+0x80/0x80\n[230469.115884]  ? bch_btree_check_recurse+0x1a0/0x1a0 [escache]\n[230469.127259]  kthread+0x112/0x130\n[230469.138448]  ? kthread_flush_work_fn+0x10/0x10\n[230469.149477]  ret_from_fork+0x35/0x40\n\nbch_btree_check_thread() and bch_dirty_init_thread() may call\nmca_cannibalize() to cannibalize other cached btree nodes. Only one thread\ncan do it at a time, so the op of other threads will be added to the\nbtree_cache_wait list.\n\nWe must call finish_wait() to remove op from btree_cache_wait before free\nit's memory address. Otherwise, the list will be damaged. Also should call\nbch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up\nother waiters."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/md/bcache/btree.c","drivers/md/bcache/btree.h","drivers/md/bcache/writeback.c"],"versions":[{"version":"8e7102273f597dbb38af43da874f8c123f8e6dbe","lessThan":"bcb295778afda4f2feb0d3c0289a53fd43d5a3a6","status":"affected","versionType":"git"},{"version":"8e7102273f597dbb38af43da874f8c123f8e6dbe","lessThan":"cbdd5b3322f7bbe6454c97cac994757f1192c07b","status":"affected","versionType":"git"},{"version":"8e7102273f597dbb38af43da874f8c123f8e6dbe","lessThan":"25ec4779d0fb3ed9cac1e4d9e0e4261b4a12f6ed","status":"affected","versionType":"git"},{"version":"8e7102273f597dbb38af43da874f8c123f8e6dbe","lessThan":"2882a4c4f0c90e99f37dbd8db369b9982fd613e7","status":"affected","versionType":"git"},{"version":"8e7102273f597dbb38af43da874f8c123f8e6dbe","lessThan":"f0854489fc07d2456f7cc71a63f4faf9c716ffbe","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/md/bcache/btree.c","drivers/md/bcache/btree.h","drivers/md/bcache/writeback.c"],"versions":[{"version":"5.7","status":"affected"},{"version":"0","lessThan":"5.7","status":"unaffected","versionType":"semver"},{"version":"5.10.188","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.121","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.39","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.4.4","lessThanOrEqual":"6.4.*","status":"unaffected","versionType":"semver"},{"version":"6.5","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"5.10.188"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"5.15.121"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.1.39"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.4.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.5"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/bcb295778afda4f2feb0d3c0289a53fd43d5a3a6"},{"url":"https://git.kernel.org/stable/c/cbdd5b3322f7bbe6454c97cac994757f1192c07b"},{"url":"https://git.kernel.org/stable/c/25ec4779d0fb3ed9cac1e4d9e0e4261b4a12f6ed"},{"url":"https://git.kernel.org/stable/c/2882a4c4f0c90e99f37dbd8db369b9982fd613e7"},{"url":"https://git.kernel.org/stable/c/f0854489fc07d2456f7cc71a63f4faf9c716ffbe"}],"title":"bcache: fixup btree_cache_wait list damage","x_generator":{"engine":"bippy-1.2.0"}}}}