{ "threat_severity" : "Moderate", "public_date" : "2025-10-07T00:00:00Z", "bugzilla" : { "description" : "kernel: mm/swap: fix swap_info_struct race between swapoff and get_swap_pages()", "id" : "2402289", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402289" }, "cvss3" : { "cvss3_base_score" : "5.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-413", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm/swap: fix swap_info_struct race between swapoff and get_swap_pages()\nThe si->lock must be held when deleting the si from the available list. \nOtherwise, another thread can re-add the si to the available list, which\ncan lead to memory corruption. The only place we have found where this\nhappens is in the swapoff path. This case can be described as below:\ncore 0 core 1\nswapoff\ndel_from_avail_list(si) waiting\ntry lock si->lock acquire swap_avail_lock\nand re-add si into\nswap_avail_head\nacquire si->lock but missing si already being added again, and continuing\nto clear SWP_WRITEOK, etc.\nIt can be easily found that a massive warning messages can be triggered\ninside get_swap_pages() by some special cases, for example, we call\nmadvise(MADV_PAGEOUT) on blocks of touched memory concurrently, meanwhile,\nrun much swapon-swapoff operations (e.g. stress-ng-swap).\nHowever, in the worst case, panic can be caused by the above scene. In\nswapoff(), the memory used by si could be kept in swap_info[] after\nturning off a swap. This means memory corruption will not be caused\nimmediately until allocated and reset for a new swap in the swapon path. \nA panic message caused: (with CONFIG_PLIST_DEBUG enabled)\n------------[ cut here ]------------\ntop: 00000000e58a3003, n: 0000000013e75cda, p: 000000008cd4451a\nprev: 0000000035b1e58a, n: 000000008cd4451a, p: 000000002150ee8d\nnext: 000000008cd4451a, n: 000000008cd4451a, p: 000000008cd4451a\nWARNING: CPU: 21 PID: 1843 at lib/plist.c:60 plist_check_prev_next_node+0x50/0x70\nModules linked in: rfkill(E) crct10dif_ce(E)...\nCPU: 21 PID: 1843 Comm: stress-ng Kdump: ... 5.10.134+\nHardware name: Alibaba Cloud ECS, BIOS 0.0.0 02/06/2015\npstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)\npc : plist_check_prev_next_node+0x50/0x70\nlr : plist_check_prev_next_node+0x50/0x70\nsp : ffff0018009d3c30\nx29: ffff0018009d3c40 x28: ffff800011b32a98\nx27: 0000000000000000 x26: ffff001803908000\nx25: ffff8000128ea088 x24: ffff800011b32a48\nx23: 0000000000000028 x22: ffff001800875c00\nx21: ffff800010f9e520 x20: ffff001800875c00\nx19: ffff001800fdc6e0 x18: 0000000000000030\nx17: 0000000000000000 x16: 0000000000000000\nx15: 0736076307640766 x14: 0730073007380731\nx13: 0736076307640766 x12: 0730073007380731\nx11: 000000000004058d x10: 0000000085a85b76\nx9 : ffff8000101436e4 x8 : ffff800011c8ce08\nx7 : 0000000000000000 x6 : 0000000000000001\nx5 : ffff0017df9ed338 x4 : 0000000000000001\nx3 : ffff8017ce62a000 x2 : ffff0017df9ed340\nx1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\nplist_check_prev_next_node+0x50/0x70\nplist_check_head+0x80/0xf0\nplist_add+0x28/0x140\nadd_to_avail_list+0x9c/0xf0\n_enable_swap_info+0x78/0xb4\n__do_sys_swapon+0x918/0xa10\n__arm64_sys_swapon+0x20/0x30\nel0_svc_common+0x8c/0x220\ndo_el0_svc+0x2c/0x90\nel0_svc+0x1c/0x30\nel0_sync_handler+0xa8/0xb0\nel0_sync+0x148/0x180\nirq event stamp: 2082270\nNow, si->lock locked before calling 'del_from_avail_list()' to make sure\nother thread see the si had been deleted and SWP_WRITEOK cleared together,\nwill not reinsert again.\nThis problem exists in versions after stable 5.10.y." ], "statement" : "The patch fixes a race condition between swapoff() and get_swap_pages() in the memory management subsystem, where the swap_info structure could be reinserted into the available list after removal, leading to list corruption and kernel panic.\nThis issue can be reproduced under heavy concurrent swap-on/swap-off and memory pressure operations, such as using tools like stress-ng --swap. It may result in severe memory corruption or system crash.\nFor the CVSS the PR:H — because the bug requires local privileged access and deliberate manipulation of swap configuration.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-05-22T00:00:00Z", "advisory" : "RHSA-2024:3138", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53623\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53623\nhttps://lore.kernel.org/linux-cve-announce/2025100710-CVE-2023-53623-2687@gregkh/T" ], "name" : "CVE-2023-53623", "csaw" : false }