VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54268

CVE-2023-54268

Description

In the Linux kernel, the following vulnerability has been resolved:

debugobjects: Don't wake up kswapd from fill_pool()

syzbot is reporting a lockdep warning in fill_pool() because the allocation from debugobjects is using GFP_ATOMIC, which is (__GFP_HIGH | __GFP_KSWAPD_RECLAIM) and therefore tries to wake up kswapd, which acquires kswapd_wait::lock.

Since fill_pool() might be called with arbitrary locks held, fill_pool() should not assume that acquiring kswapd_wait::lock is safe.

Use __GFP_HIGH instead and remove __GFP_NORETRY as it is pointless for !__GFP_DIRECT_RECLAIM allocation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel debugobjects fill_pool() uses GFP_ATOMIC with __GFP_KSWAPD_RECLAIM, causing lockdep warning when waking kswapd under arbitrary locks.

Root

Cause

The vulnerability resides in the debugobjects subsystem's fill_pool() function, which allocates memory using GFP_ATOMIC. This flag includes __GFP_KSWAPD_RECLAIM, causing the allocation to attempt to wake up kswapd, which acquires the kswapd_wait::lock. Since fill_pool() can be invoked while holding arbitrary locks, this can lead to a lockdep warning and potential deadlock.

Exploitation

Exploitation requires no special privileges; an attacker could trigger the code path that calls fill_pool() while holding a lock that conflicts with kswapd_wait::lock. This is likely reachable from user space via certain operations that cause debug object tracking. The syzbot fuzzer discovered this issue, indicating it can be triggered remotely or locally.

Impact

The impact is a system lockup or denial of service due to a deadlock or lockdep splat. While not directly exploitable for code execution, it can cause system instability.

Mitigation

The fix replaces GFP_ATOMIC with __GFP_HIGH and removes the unnecessary __GFP_NORETRY flag. The patch has been applied to stable kernel branches as seen in commits [1][2][3]. Users should update to the latest stable kernel.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

6
be646802b3dc
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
fd673079749b
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
aee97eec7702
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d7fff52c99d5
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
4c088d30a72d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
eb799279fb1f
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.