CVE-2023-54316

In the Linux kernel, the following vulnerability has been resolved:

refscale: Fix uninitalized use of waitqueuehead_t

Running the refscale test occasionally crashes the kernel with the following error:

[ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8 [ 8569.952900] #PF: supervisor read access in kernel mode [ 8569.952902] #PF: errorcode(0x0000) - not-present page [ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0 [ 8569.952910] Oops: 0000 [#1] PREEMPTRT SMP NOPTI [ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021 [ 8569.952917] RIP: 0010:preparetowaitevent+0x101/0x190 : [ 8569.952940] Call Trace: [ 8569.952941] <TASK> [ 8569.952944] refscalereader+0x380/0x4a0 [refscale] [ 8569.952959] kthread+0x10e/0x130 [ 8569.952966] retfrom_fork+0x1f/0x30 [ 8569.952973] </TASK>

The likely cause is that initwaitqueuehead() is called after the call to the torturecreatekthread() function that creates the refscalereader kthread. Although this initwaitqueuehead() call will very likely complete before this kthread is created and starts running, it is possible that the calling kthread will be delayed between the calls to torturecreatekthread() and initwaitqueuehead(). In this case, the new kthread will use the waitqueue head before it is properly initialized, which is not good for the kernel's health and well-being.

The above crash happened here:

static inline void __add_wait_queue(...)
{
    :
    if (!(wq->flags & WQ_FLAG_PRIORITY)) <=== Crash here

The offset of flags from listhead entry in waitqueueentry is -0x18. If readertasks[i].wq.head.next is NULL as allocated reader_task structure is zero initialized, the instruction will try to access address 0xffffffffffffffe8, which is exactly the fault address listed above.

This commit therefore invokes initwaitqueuehead() before creating the kthread.