{"id":"CVE-2023-53623","summary":"mm/swap: fix swap_info_struct race between swapoff and get_swap_pages()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swap: fix swap_info_struct race between swapoff and get_swap_pages()\n\nThe si-\u003elock must be held when deleting the si from the available list. \nOtherwise, another thread can re-add the si to the available list, which\ncan lead to memory corruption.  The only place we have found where this\nhappens is in the swapoff path.  This case can be described as below:\n\ncore 0                       core 1\nswapoff\n\ndel_from_avail_list(si)      waiting\n\ntry lock si-\u003elock            acquire swap_avail_lock\n                             and re-add si into\n                             swap_avail_head\n\nacquire si-\u003elock but missing si already being added again, and continuing\nto clear SWP_WRITEOK, etc.\n\nIt can be easily found that a massive warning messages can be triggered\ninside get_swap_pages() by some special cases, for example, we call\nmadvise(MADV_PAGEOUT) on blocks of touched memory concurrently, meanwhile,\nrun much swapon-swapoff operations (e.g.  stress-ng-swap).\n\nHowever, in the worst case, panic can be caused by the above scene.  In\nswapoff(), the memory used by si could be kept in swap_info[] after\nturning off a swap.  This means memory corruption will not be caused\nimmediately until allocated and reset for a new swap in the swapon path. \nA panic message caused: (with CONFIG_PLIST_DEBUG enabled)\n\n------------[ cut here ]------------\ntop: 00000000e58a3003, n: 0000000013e75cda, p: 000000008cd4451a\nprev: 0000000035b1e58a, n: 000000008cd4451a, p: 000000002150ee8d\nnext: 000000008cd4451a, n: 000000008cd4451a, p: 000000008cd4451a\nWARNING: CPU: 21 PID: 1843 at lib/plist.c:60 plist_check_prev_next_node+0x50/0x70\nModules linked in: rfkill(E) crct10dif_ce(E)...\nCPU: 21 PID: 1843 Comm: stress-ng Kdump: ... 5.10.134+\nHardware name: Alibaba Cloud ECS, BIOS 0.0.0 02/06/2015\npstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)\npc : plist_check_prev_next_node+0x50/0x70\nlr : plist_check_prev_next_node+0x50/0x70\nsp : ffff0018009d3c30\nx29: ffff0018009d3c40 x28: ffff800011b32a98\nx27: 0000000000000000 x26: ffff001803908000\nx25: ffff8000128ea088 x24: ffff800011b32a48\nx23: 0000000000000028 x22: ffff001800875c00\nx21: ffff800010f9e520 x20: ffff001800875c00\nx19: ffff001800fdc6e0 x18: 0000000000000030\nx17: 0000000000000000 x16: 0000000000000000\nx15: 0736076307640766 x14: 0730073007380731\nx13: 0736076307640766 x12: 0730073007380731\nx11: 000000000004058d x10: 0000000085a85b76\nx9 : ffff8000101436e4 x8 : ffff800011c8ce08\nx7 : 0000000000000000 x6 : 0000000000000001\nx5 : ffff0017df9ed338 x4 : 0000000000000001\nx3 : ffff8017ce62a000 x2 : ffff0017df9ed340\nx1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\n plist_check_prev_next_node+0x50/0x70\n plist_check_head+0x80/0xf0\n plist_add+0x28/0x140\n add_to_avail_list+0x9c/0xf0\n _enable_swap_info+0x78/0xb4\n __do_sys_swapon+0x918/0xa10\n __arm64_sys_swapon+0x20/0x30\n el0_svc_common+0x8c/0x220\n do_el0_svc+0x2c/0x90\n el0_svc+0x1c/0x30\n el0_sync_handler+0xa8/0xb0\n el0_sync+0x148/0x180\nirq event stamp: 2082270\n\nNow, si-\u003elock locked before calling 'del_from_avail_list()' to make sure\nother thread see the si had been deleted and SWP_WRITEOK cleared together,\nwill not reinsert again.\n\nThis problem exists in versions after stable 5.10.y.","modified":"2026-03-20T12:33:15.596144Z","published":"2025-10-07T15:19:28.834Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53623.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/111a79d9b92f0a679fe300ccd3119ae9741f3d54"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4bdf1514b4268d29360ba9e43becdd49955bc7ae"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6fe7d6b992113719e96744d974212df3fcddc76c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/85cc118ce6f1a627901b6db50c9d01f2ad78cdbf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a55f268abdb74ac5633b75a09fefb58458e9d2a2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b9927d3a60ca9ed35625470888629c074e687ba0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e7bba7ddb4318d5ea939c8db747c2c2780ab66f4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ea8c42b3b6d95ced3a4f555f04686d00ef0bb206"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53623.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53623"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a2468cc9bfdff6139f59ca896671e5819ff5f94a"},{"fixed":"111a79d9b92f0a679fe300ccd3119ae9741f3d54"},{"fixed":"a55f268abdb74ac5633b75a09fefb58458e9d2a2"},{"fixed":"e7bba7ddb4318d5ea939c8db747c2c2780ab66f4"},{"fixed":"ea8c42b3b6d95ced3a4f555f04686d00ef0bb206"},{"fixed":"4bdf1514b4268d29360ba9e43becdd49955bc7ae"},{"fixed":"85cc118ce6f1a627901b6db50c9d01f2ad78cdbf"},{"fixed":"b9927d3a60ca9ed35625470888629c074e687ba0"},{"fixed":"6fe7d6b992113719e96744d974212df3fcddc76c"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53623.json"}}],"schema_version":"1.7.5"}