{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-53368","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-09-17T14:54:09.734Z","datePublished":"2025-09-17T14:56:56.752Z","dateUpdated":"2026-05-11T19:43:35.800Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:43:35.800Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix race issue between cpu buffer write and swap\n\nWarning happened in rb_end_commit() at code:\n\tif (RB_WARN_ON(cpu_buffer, !local_read(&cpu_buffer->committing)))\n\n WARNING: CPU: 0 PID: 139 at kernel/trace/ring_buffer.c:3142\n\trb_commit+0x402/0x4a0\n Call Trace:\n ring_buffer_unlock_commit+0x42/0x250\n trace_buffer_unlock_commit_regs+0x3b/0x250\n trace_event_buffer_commit+0xe5/0x440\n trace_event_buffer_reserve+0x11c/0x150\n trace_event_raw_event_sched_switch+0x23c/0x2c0\n __traceiter_sched_switch+0x59/0x80\n __schedule+0x72b/0x1580\n schedule+0x92/0x120\n worker_thread+0xa0/0x6f0\n\nIt is because the race between writing event into cpu buffer and swapping\ncpu buffer through file per_cpu/cpu0/snapshot:\n\n Write on CPU 0 Swap buffer by per_cpu/cpu0/snapshot on CPU 1\n -------- --------\n tracing_snapshot_write()\n [...]\n\n ring_buffer_lock_reserve()\n cpu_buffer = buffer->buffers[cpu]; // 1. Suppose find 'cpu_buffer_a';\n [...]\n rb_reserve_next_event()\n [...]\n\n ring_buffer_swap_cpu()\n if (local_read(&cpu_buffer_a->committing))\n goto out_dec;\n if (local_read(&cpu_buffer_b->committing))\n goto out_dec;\n buffer_a->buffers[cpu] = cpu_buffer_b;\n buffer_b->buffers[cpu] = cpu_buffer_a;\n // 2. cpu_buffer has swapped here.\n\n rb_start_commit(cpu_buffer);\n if (unlikely(READ_ONCE(cpu_buffer->buffer)\n != buffer)) { // 3. This check passed due to 'cpu_buffer->buffer'\n [...] // has not changed here.\n return NULL;\n }\n cpu_buffer_b->buffer = buffer_a;\n cpu_buffer_a->buffer = buffer_b;\n [...]\n\n // 4. Reserve event from 'cpu_buffer_a'.\n\n ring_buffer_unlock_commit()\n [...]\n cpu_buffer = buffer->buffers[cpu]; // 5. Now find 'cpu_buffer_b' !!!\n rb_commit(cpu_buffer)\n rb_end_commit() // 6. WARN for the wrong 'committing' state !!!\n\nBased on above analysis, we can easily reproduce by following testcase:\n ``` bash\n #!/bin/bash\n\n dmesg -n 7\n sysctl -w kernel.panic_on_warn=1\n TR=/sys/kernel/tracing\n echo 7 > ${TR}/buffer_size_kb\n echo \"sched:sched_switch\" > ${TR}/set_event\n while [ true ]; do\n echo 1 > ${TR}/per_cpu/cpu0/snapshot\n done &\n while [ true ]; do\n echo 1 > ${TR}/per_cpu/cpu0/snapshot\n done &\n while [ true ]; do\n echo 1 > ${TR}/per_cpu/cpu0/snapshot\n done &\n ```\n\nTo fix it, IIUC, we can use smp_call_function_single() to do the swap on\nthe target cpu where the buffer is located, so that above race would be\navoided."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/trace/trace.c"],"versions":[{"version":"f1affcaaa861f27752a769f889bf1486ebd301fe","lessThan":"90e037cabc2c2dfc39b3dd9c5b22ea91f995539a","status":"affected","versionType":"git"},{"version":"f1affcaaa861f27752a769f889bf1486ebd301fe","lessThan":"c5d30d6aa83d99fba8dfdd9cf6c4e4e7a63244db","status":"affected","versionType":"git"},{"version":"f1affcaaa861f27752a769f889bf1486ebd301fe","lessThan":"6182318ac04648b46db9d441fd7d696337fcdd0b","status":"affected","versionType":"git"},{"version":"f1affcaaa861f27752a769f889bf1486ebd301fe","lessThan":"74c85396bd73eca80b96510b4edf93b9a3aff75f","status":"affected","versionType":"git"},{"version":"f1affcaaa861f27752a769f889bf1486ebd301fe","lessThan":"89c89da92a60028013f9539be0dcce7e44405a43","status":"affected","versionType":"git"},{"version":"f1affcaaa861f27752a769f889bf1486ebd301fe","lessThan":"37ca1b686078b00cc4ffa008e2190615f7709b5d","status":"affected","versionType":"git"},{"version":"f1affcaaa861f27752a769f889bf1486ebd301fe","lessThan":"3163f635b20e9e1fb4659e74f47918c9dddfe64e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/trace/trace.c"],"versions":[{"version":"3.10","status":"affected"},{"version":"0","lessThan":"3.10","status":"unaffected","versionType":"semver"},{"version":"5.4.257","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.195","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.132","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.53","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.4.16","lessThanOrEqual":"6.4.*","status":"unaffected","versionType":"semver"},{"version":"6.5.3","lessThanOrEqual":"6.5.*","status":"unaffected","versionType":"semver"},{"version":"6.6","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"5.4.257"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"5.10.195"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"5.15.132"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.1.53"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.4.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.5.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/90e037cabc2c2dfc39b3dd9c5b22ea91f995539a"},{"url":"https://git.kernel.org/stable/c/c5d30d6aa83d99fba8dfdd9cf6c4e4e7a63244db"},{"url":"https://git.kernel.org/stable/c/6182318ac04648b46db9d441fd7d696337fcdd0b"},{"url":"https://git.kernel.org/stable/c/74c85396bd73eca80b96510b4edf93b9a3aff75f"},{"url":"https://git.kernel.org/stable/c/89c89da92a60028013f9539be0dcce7e44405a43"},{"url":"https://git.kernel.org/stable/c/37ca1b686078b00cc4ffa008e2190615f7709b5d"},{"url":"https://git.kernel.org/stable/c/3163f635b20e9e1fb4659e74f47918c9dddfe64e"}],"title":"tracing: Fix race issue between cpu buffer write and swap","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":4.7,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"HIGH","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"id":"CVE-2023-53368","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2026-01-14T18:46:08.777326Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-362","description":"CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-14T18:53:02.706Z"}}]}}