{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T13:49:00.198","vulnerabilities":[{"cve":{"id":"CVE-2023-53368","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-09-17T15:15:41.220","lastModified":"2026-01-14T19:16:34.020","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix race issue between cpu buffer write and swap\n\nWarning happened in rb_end_commit() at code:\n\tif (RB_WARN_ON(cpu_buffer, !local_read(&cpu_buffer->committing)))\n\n  WARNING: CPU: 0 PID: 139 at kernel/trace/ring_buffer.c:3142\n\trb_commit+0x402/0x4a0\n  Call Trace:\n   ring_buffer_unlock_commit+0x42/0x250\n   trace_buffer_unlock_commit_regs+0x3b/0x250\n   trace_event_buffer_commit+0xe5/0x440\n   trace_event_buffer_reserve+0x11c/0x150\n   trace_event_raw_event_sched_switch+0x23c/0x2c0\n   __traceiter_sched_switch+0x59/0x80\n   __schedule+0x72b/0x1580\n   schedule+0x92/0x120\n   worker_thread+0xa0/0x6f0\n\nIt is because the race between writing event into cpu buffer and swapping\ncpu buffer through file per_cpu/cpu0/snapshot:\n\n  Write on CPU 0             Swap buffer by per_cpu/cpu0/snapshot on CPU 1\n  --------                   --------\n                             tracing_snapshot_write()\n                               [...]\n\n  ring_buffer_lock_reserve()\n    cpu_buffer = buffer->buffers[cpu]; // 1. Suppose find 'cpu_buffer_a';\n    [...]\n    rb_reserve_next_event()\n      [...]\n\n                               ring_buffer_swap_cpu()\n                                 if (local_read(&cpu_buffer_a->committing))\n                                     goto out_dec;\n                                 if (local_read(&cpu_buffer_b->committing))\n                                     goto out_dec;\n                                 buffer_a->buffers[cpu] = cpu_buffer_b;\n                                 buffer_b->buffers[cpu] = cpu_buffer_a;\n                                 // 2. cpu_buffer has swapped here.\n\n      rb_start_commit(cpu_buffer);\n      if (unlikely(READ_ONCE(cpu_buffer->buffer)\n          != buffer)) { // 3. This check passed due to 'cpu_buffer->buffer'\n        [...]           //    has not changed here.\n        return NULL;\n      }\n                                 cpu_buffer_b->buffer = buffer_a;\n                                 cpu_buffer_a->buffer = buffer_b;\n                                 [...]\n\n      // 4. Reserve event from 'cpu_buffer_a'.\n\n  ring_buffer_unlock_commit()\n    [...]\n    cpu_buffer = buffer->buffers[cpu]; // 5. Now find 'cpu_buffer_b' !!!\n    rb_commit(cpu_buffer)\n      rb_end_commit()  // 6. WARN for the wrong 'committing' state !!!\n\nBased on above analysis, we can easily reproduce by following testcase:\n  ``` bash\n  #!/bin/bash\n\n  dmesg -n 7\n  sysctl -w kernel.panic_on_warn=1\n  TR=/sys/kernel/tracing\n  echo 7 > ${TR}/buffer_size_kb\n  echo \"sched:sched_switch\" > ${TR}/set_event\n  while [ true ]; do\n          echo 1 > ${TR}/per_cpu/cpu0/snapshot\n  done &\n  while [ true ]; do\n          echo 1 > ${TR}/per_cpu/cpu0/snapshot\n  done &\n  while [ true ]; do\n          echo 1 > ${TR}/per_cpu/cpu0/snapshot\n  done &\n  ```\n\nTo fix it, IIUC, we can use smp_call_function_single() to do the swap on\nthe target cpu where the buffer is located, so that above race would be\navoided."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":3.6},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-362"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-362"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"5.4.257","matchCriteriaId":"E18B639E-81C4-4BDD-94EB-C7CD0F7B989C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.195","matchCriteriaId":"C385B650-53DB-4BFB-83D1-1D8FADF653EF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.132","matchCriteriaId":"5913891D-409A-4EEC-9231-F2EF5A493BC7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.53","matchCriteriaId":"B20754AF-3B8C-4574-A70D-EC24933810E5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.4.16","matchCriteriaId":"C3039EA3-F6CA-43EF-9F17-81A7EC6841EF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.5.3","matchCriteriaId":"880C803A-BEAE-4DA0-8A59-AC023F7B4EE3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3163f635b20e9e1fb4659e74f47918c9dddfe64e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/37ca1b686078b00cc4ffa008e2190615f7709b5d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6182318ac04648b46db9d441fd7d696337fcdd0b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/74c85396bd73eca80b96510b4edf93b9a3aff75f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/89c89da92a60028013f9539be0dcce7e44405a43","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/90e037cabc2c2dfc39b3dd9c5b22ea91f995539a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c5d30d6aa83d99fba8dfdd9cf6c4e4e7a63244db","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}