Linux Kernel up to 6.3.3 drm_sched_fault timeout_wq null pointer dereference

Summaryinfo

A vulnerability, which was classified as critical, has been found in Linux Kernel up to 6.3.3. Impacted is the function drm_sched_fault. This manipulation of the argument timeout_wq causes null pointer dereference. This vulnerability appears as CVE-2023-53351. There is no available exploit. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability classified as critical was found in Linux Kernel up to 6.3.3. Affected by this vulnerability is the function drm_sched_fault. The manipulation of the argument timeout_wq with an unknown input leads to a null pointer dereference vulnerability. The CWE definition for the vulnerability is CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. As an impact it is known to affect availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: drm/sched: Check scheduler work queue before calling timeout handling During an IGT GPU reset test we see again oops despite of commit 0c8c901aaaebc9 (drm/sched: Check scheduler ready before calling timeout handling). It uses ready condition whether to call drm_sched_fault which unwind the TDR leads to GPU reset. However it looks the ready condition is overloaded with other meanings, for example, for the following stack is related GPU reset : 0 gfx_v9_0_cp_gfx_start 1 gfx_v9_0_cp_gfx_resume 2 gfx_v9_0_cp_resume 3 gfx_v9_0_hw_init 4 gfx_v9_0_resume 5 amdgpu_device_ip_resume_phase2 does the following: /* start the ring */ gfx_v9_0_cp_gfx_start(adev); ring->sched.ready = true; The same approach is for other ASICs as well : gfx_v8_0_cp_gfx_resume gfx_v10_0_kiq_resume, etc... As a result, our GPU reset test causes GPU fault which calls unconditionally gfx_v9_0_fault and then drm_sched_fault. However now it depends on whether the interrupt service routine drm_sched_fault is executed after gfx_v9_0_cp_gfx_start is completed which sets the ready field of the scheduler to true even for uninitialized schedulers and causes oops vs no fault or when ISR drm_sched_fault is completed prior gfx_v9_0_cp_gfx_start and NULL pointer dereference does not occur. Use the field timeout_wq to prevent oops for uninitialized schedulers. The field could be initialized by the work queue of resetting the domain. v1: Corrections to commit message (Luben)

It is possible to read the advisory at git.kernel.org. This vulnerability is known as CVE-2023-53351 since 09/16/2025. Technical details of the vulnerability are known, but there is no available exploit.

The vulnerability scanner Nessus provides a plugin with the ID 265665 (Linux Distros Unpatched Vulnerability : CVE-2023-53351), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.3.4 eliminates this vulnerability. Applying the patch c43a96fc00b662cef1ef0eb22d40441ce2abae8f/2da5bffe9eaa5819a868e8eaaa11b3fd0f16a691 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (265665) and CERT Bund (WID-SEC-2025-2087). Be aware that VulDB is the high quality source for vulnerability data.

Affected

• Amazon Linux 2
• Red Hat Enterprise Linux
• SUSE Linux
• Oracle Linux
• IBM QRadar SIEM
• Open Source Linux Kernel
• RESF Rocky Linux
• Dell Secure Connect Gateway

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.3.0
• 6.3.1
• 6.3.2
• 6.3.3

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion