{"id":"CVE-2023-53351","summary":"drm/sched: Check scheduler work queue before calling timeout handling","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Check scheduler work queue before calling timeout handling\n\nDuring an IGT GPU reset test we see again oops despite of\ncommit 0c8c901aaaebc9 (drm/sched: Check scheduler ready before calling\ntimeout handling).\n\nIt uses ready condition whether to call drm_sched_fault which unwind\nthe TDR leads to GPU reset.\nHowever it looks the ready condition is overloaded with other meanings,\nfor example, for the following stack is related GPU reset :\n\n0  gfx_v9_0_cp_gfx_start\n1  gfx_v9_0_cp_gfx_resume\n2  gfx_v9_0_cp_resume\n3  gfx_v9_0_hw_init\n4  gfx_v9_0_resume\n5  amdgpu_device_ip_resume_phase2\n\ndoes the following:\n\t/* start the ring */\n\tgfx_v9_0_cp_gfx_start(adev);\n\tring-\u003esched.ready = true;\n\nThe same approach is for other ASICs as well :\ngfx_v8_0_cp_gfx_resume\ngfx_v10_0_kiq_resume, etc...\n\nAs a result, our GPU reset test causes GPU fault which calls unconditionally gfx_v9_0_fault\nand then drm_sched_fault. However now it depends on whether the interrupt service routine\ndrm_sched_fault is executed after gfx_v9_0_cp_gfx_start is completed which sets the ready\nfield of the scheduler to true even  for uninitialized schedulers and causes oops vs\nno fault or when ISR  drm_sched_fault is completed prior  gfx_v9_0_cp_gfx_start and\nNULL pointer dereference does not occur.\n\nUse the field timeout_wq  to prevent oops for uninitialized schedulers.\nThe field could be initialized by the work queue of resetting the domain.\n\nv1: Corrections to commit message (Luben)","modified":"2026-03-20T12:33:07.084464Z","published":"2025-09-17T14:56:42.006Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53351.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2da5bffe9eaa5819a868e8eaaa11b3fd0f16a691"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c43a96fc00b662cef1ef0eb22d40441ce2abae8f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53351.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53351"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"11b3b9f461c5c4f700f6c8da202fcc2fd6418e1f"},{"fixed":"c43a96fc00b662cef1ef0eb22d40441ce2abae8f"},{"fixed":"2da5bffe9eaa5819a868e8eaaa11b3fd0f16a691"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53351.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}