fkie_cve-2023-53368
Vulnerability from fkie_nvd
Published
2025-09-17 15:15
Modified
2025-09-18 13:43
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix race issue between cpu buffer write and swap
Warning happened in rb_end_commit() at code:
if (RB_WARN_ON(cpu_buffer, !local_read(&cpu_buffer->committing)))
WARNING: CPU: 0 PID: 139 at kernel/trace/ring_buffer.c:3142
rb_commit+0x402/0x4a0
Call Trace:
ring_buffer_unlock_commit+0x42/0x250
trace_buffer_unlock_commit_regs+0x3b/0x250
trace_event_buffer_commit+0xe5/0x440
trace_event_buffer_reserve+0x11c/0x150
trace_event_raw_event_sched_switch+0x23c/0x2c0
__traceiter_sched_switch+0x59/0x80
__schedule+0x72b/0x1580
schedule+0x92/0x120
worker_thread+0xa0/0x6f0
It is because the race between writing event into cpu buffer and swapping
cpu buffer through file per_cpu/cpu0/snapshot:
Write on CPU 0 Swap buffer by per_cpu/cpu0/snapshot on CPU 1
-------- --------
tracing_snapshot_write()
[...]
ring_buffer_lock_reserve()
cpu_buffer = buffer->buffers[cpu]; // 1. Suppose find 'cpu_buffer_a';
[...]
rb_reserve_next_event()
[...]
ring_buffer_swap_cpu()
if (local_read(&cpu_buffer_a->committing))
goto out_dec;
if (local_read(&cpu_buffer_b->committing))
goto out_dec;
buffer_a->buffers[cpu] = cpu_buffer_b;
buffer_b->buffers[cpu] = cpu_buffer_a;
// 2. cpu_buffer has swapped here.
rb_start_commit(cpu_buffer);
if (unlikely(READ_ONCE(cpu_buffer->buffer)
!= buffer)) { // 3. This check passed due to 'cpu_buffer->buffer'
[...] // has not changed here.
return NULL;
}
cpu_buffer_b->buffer = buffer_a;
cpu_buffer_a->buffer = buffer_b;
[...]
// 4. Reserve event from 'cpu_buffer_a'.
ring_buffer_unlock_commit()
[...]
cpu_buffer = buffer->buffers[cpu]; // 5. Now find 'cpu_buffer_b' !!!
rb_commit(cpu_buffer)
rb_end_commit() // 6. WARN for the wrong 'committing' state !!!
Based on above analysis, we can easily reproduce by following testcase:
``` bash
#!/bin/bash
dmesg -n 7
sysctl -w kernel.panic_on_warn=1
TR=/sys/kernel/tracing
echo 7 > ${TR}/buffer_size_kb
echo "sched:sched_switch" > ${TR}/set_event
while [ true ]; do
echo 1 > ${TR}/per_cpu/cpu0/snapshot
done &
while [ true ]; do
echo 1 > ${TR}/per_cpu/cpu0/snapshot
done &
while [ true ]; do
echo 1 > ${TR}/per_cpu/cpu0/snapshot
done &
```
To fix it, IIUC, we can use smp_call_function_single() to do the swap on
the target cpu where the buffer is located, so that above race would be
avoided.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix race issue between cpu buffer write and swap\n\nWarning happened in rb_end_commit() at code:\n\tif (RB_WARN_ON(cpu_buffer, !local_read(\u0026cpu_buffer-\u003ecommitting)))\n\n WARNING: CPU: 0 PID: 139 at kernel/trace/ring_buffer.c:3142\n\trb_commit+0x402/0x4a0\n Call Trace:\n ring_buffer_unlock_commit+0x42/0x250\n trace_buffer_unlock_commit_regs+0x3b/0x250\n trace_event_buffer_commit+0xe5/0x440\n trace_event_buffer_reserve+0x11c/0x150\n trace_event_raw_event_sched_switch+0x23c/0x2c0\n __traceiter_sched_switch+0x59/0x80\n __schedule+0x72b/0x1580\n schedule+0x92/0x120\n worker_thread+0xa0/0x6f0\n\nIt is because the race between writing event into cpu buffer and swapping\ncpu buffer through file per_cpu/cpu0/snapshot:\n\n Write on CPU 0 Swap buffer by per_cpu/cpu0/snapshot on CPU 1\n -------- --------\n tracing_snapshot_write()\n [...]\n\n ring_buffer_lock_reserve()\n cpu_buffer = buffer-\u003ebuffers[cpu]; // 1. Suppose find \u0027cpu_buffer_a\u0027;\n [...]\n rb_reserve_next_event()\n [...]\n\n ring_buffer_swap_cpu()\n if (local_read(\u0026cpu_buffer_a-\u003ecommitting))\n goto out_dec;\n if (local_read(\u0026cpu_buffer_b-\u003ecommitting))\n goto out_dec;\n buffer_a-\u003ebuffers[cpu] = cpu_buffer_b;\n buffer_b-\u003ebuffers[cpu] = cpu_buffer_a;\n // 2. cpu_buffer has swapped here.\n\n rb_start_commit(cpu_buffer);\n if (unlikely(READ_ONCE(cpu_buffer-\u003ebuffer)\n != buffer)) { // 3. This check passed due to \u0027cpu_buffer-\u003ebuffer\u0027\n [...] // has not changed here.\n return NULL;\n }\n cpu_buffer_b-\u003ebuffer = buffer_a;\n cpu_buffer_a-\u003ebuffer = buffer_b;\n [...]\n\n // 4. Reserve event from \u0027cpu_buffer_a\u0027.\n\n ring_buffer_unlock_commit()\n [...]\n cpu_buffer = buffer-\u003ebuffers[cpu]; // 5. Now find \u0027cpu_buffer_b\u0027 !!!\n rb_commit(cpu_buffer)\n rb_end_commit() // 6. WARN for the wrong \u0027committing\u0027 state !!!\n\nBased on above analysis, we can easily reproduce by following testcase:\n ``` bash\n #!/bin/bash\n\n dmesg -n 7\n sysctl -w kernel.panic_on_warn=1\n TR=/sys/kernel/tracing\n echo 7 \u003e ${TR}/buffer_size_kb\n echo \"sched:sched_switch\" \u003e ${TR}/set_event\n while [ true ]; do\n echo 1 \u003e ${TR}/per_cpu/cpu0/snapshot\n done \u0026\n while [ true ]; do\n echo 1 \u003e ${TR}/per_cpu/cpu0/snapshot\n done \u0026\n while [ true ]; do\n echo 1 \u003e ${TR}/per_cpu/cpu0/snapshot\n done \u0026\n ```\n\nTo fix it, IIUC, we can use smp_call_function_single() to do the swap on\nthe target cpu where the buffer is located, so that above race would be\navoided."
}
],
"id": "CVE-2023-53368",
"lastModified": "2025-09-18T13:43:34.310",
"metrics": {},
"published": "2025-09-17T15:15:41.220",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/3163f635b20e9e1fb4659e74f47918c9dddfe64e"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/37ca1b686078b00cc4ffa008e2190615f7709b5d"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/6182318ac04648b46db9d441fd7d696337fcdd0b"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/74c85396bd73eca80b96510b4edf93b9a3aff75f"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/89c89da92a60028013f9539be0dcce7e44405a43"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/90e037cabc2c2dfc39b3dd9c5b22ea91f995539a"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/c5d30d6aa83d99fba8dfdd9cf6c4e4e7a63244db"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Awaiting Analysis"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…