{"id":"CVE-2023-53709","summary":"ring-buffer: Handle race between rb_move_tail and rb_check_pages","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Handle race between rb_move_tail and rb_check_pages\n\nIt seems a data race between ring_buffer writing and integrity check.\nThat is, RB_FLAG of head_page is been updating, while at same time\nRB_FLAG was cleared when doing integrity check rb_check_pages():\n\n  rb_check_pages()            rb_handle_head_page():\n  --------                    --------\n  rb_head_page_deactivate()\n                              rb_head_page_set_normal()\n  rb_head_page_activate()\n\nWe do intergrity test of the list to check if the list is corrupted and\nit is still worth doing it. So, let's refactor rb_check_pages() such that\nwe no longer clear and set flag during the list sanity checking.\n\n[1] and [2] are the test to reproduce and the crash report respectively.\n\n1:\n``` read_trace.sh\n  while true;\n  do\n    # the \"trace\" file is closed after read\n    head -1 /sys/kernel/tracing/trace \u003e /dev/null\n  done\n```\n``` repro.sh\n  sysctl -w kernel.panic_on_warn=1\n  # function tracer will writing enough data into ring_buffer\n  echo function \u003e /sys/kernel/tracing/current_tracer\n  ./read_trace.sh &\n  ./read_trace.sh &\n  ./read_trace.sh &\n  ./read_trace.sh &\n  ./read_trace.sh &\n  ./read_trace.sh &\n  ./read_trace.sh &\n  ./read_trace.sh &\n```\n\n2:\n------------[ cut here ]------------\nWARNING: CPU: 9 PID: 62 at kernel/trace/ring_buffer.c:2653\nrb_move_tail+0x450/0x470\nModules linked in:\nCPU: 9 PID: 62 Comm: ksoftirqd/9 Tainted: G        W          6.2.0-rc6+\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:rb_move_tail+0x450/0x470\nCode: ff ff 4c 89 c8 f0 4d 0f b1 02 48 89 c2 48 83 e2 fc 49 39 d0 75 24\n83 e0 03 83 f8 02 0f 84 e1 fb ff ff 48 8b 57 10 f0 ff 42 08 \u003c0f\u003e 0b 83\nf8 02 0f 84 ce fb ff ff e9 db\nRSP: 0018:ffffb5564089bd00 EFLAGS: 00000203\nRAX: 0000000000000000 RBX: ffff9db385a2bf81 RCX: ffffb5564089bd18\nRDX: ffff9db281110100 RSI: 0000000000000fe4 RDI: ffff9db380145400\nRBP: ffff9db385a2bf80 R08: ffff9db385a2bfc0 R09: ffff9db385a2bfc2\nR10: ffff9db385a6c000 R11: ffff9db385a2bf80 R12: 0000000000000000\nR13: 00000000000003e8 R14: ffff9db281110100 R15: ffffffffbb006108\nFS:  0000000000000000(0000) GS:ffff9db3bdcc0000(0000)\nknlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005602323024c8 CR3: 0000000022e0c000 CR4: 00000000000006e0\nCall Trace:\n \u003cTASK\u003e\n ring_buffer_lock_reserve+0x136/0x360\n ? __do_softirq+0x287/0x2df\n ? __pfx_rcu_softirq_qs+0x10/0x10\n trace_function+0x21/0x110\n ? __pfx_rcu_softirq_qs+0x10/0x10\n ? __do_softirq+0x287/0x2df\n function_trace_call+0xf6/0x120\n 0xffffffffc038f097\n ? rcu_softirq_qs+0x5/0x140\n rcu_softirq_qs+0x5/0x140\n __do_softirq+0x287/0x2df\n run_ksoftirqd+0x2a/0x30\n smpboot_thread_fn+0x188/0x220\n ? __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0xe7/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n \u003c/TASK\u003e\n---[ end trace 0000000000000000 ]---\n\n[ crash report and test reproducer credit goes to Zheng Yejian]","modified":"2026-03-20T12:33:18.500754Z","published":"2025-10-22T13:23:45.155Z","related":["SUSE-SU-2025:4111-1","SUSE-SU-2025:4139-1","SUSE-SU-2025:4149-1","SUSE-SU-2025:4320-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53709.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/09b1bf25f7f7a8f2bf8cd4278bba9c3172db8013"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6e02a43acd0691791df79ce538f2dd497a6c9b76"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8843e06f67b14f71c044bf6267b2387784c7e198"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9674390ac540ed06768e3fbc2dba553929fbd736"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d41db100bc386b9433a3fc87026f5e8b453653e3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53709.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53709"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1039221cc2787dee51a7ffbf9b0e79d192dadf76"},{"fixed":"6e02a43acd0691791df79ce538f2dd497a6c9b76"},{"fixed":"d41db100bc386b9433a3fc87026f5e8b453653e3"},{"fixed":"9674390ac540ed06768e3fbc2dba553929fbd736"},{"fixed":"09b1bf25f7f7a8f2bf8cd4278bba9c3172db8013"},{"fixed":"8843e06f67b14f71c044bf6267b2387784c7e198"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53709.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.7.0"},{"fixed":"5.10.173"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.99"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.2.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53709.json"}}],"schema_version":"1.7.5"}