{
  "threat_severity" : "Low",
  "public_date" : "2025-10-22T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ring-buffer: Handle race between rb_move_tail and rb_check_pages",
    "id" : "2405758",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2405758"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-367",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nring-buffer: Handle race between rb_move_tail and rb_check_pages\nIt seems a data race between ring_buffer writing and integrity check.\nThat is, RB_FLAG of head_page is been updating, while at same time\nRB_FLAG was cleared when doing integrity check rb_check_pages():\nrb_check_pages()            rb_handle_head_page():\n--------                    --------\nrb_head_page_deactivate()\nrb_head_page_set_normal()\nrb_head_page_activate()\nWe do intergrity test of the list to check if the list is corrupted and\nit is still worth doing it. So, let's refactor rb_check_pages() such that\nwe no longer clear and set flag during the list sanity checking.\n[1] and [2] are the test to reproduce and the crash report respectively.\n1:\n``` read_trace.sh\nwhile true;\ndo\n# the \"trace\" file is closed after read\nhead -1 /sys/kernel/tracing/trace > /dev/null\ndone\n```\n``` repro.sh\nsysctl -w kernel.panic_on_warn=1\n# function tracer will writing enough data into ring_buffer\necho function > /sys/kernel/tracing/current_tracer\n./read_trace.sh &\n./read_trace.sh &\n./read_trace.sh &\n./read_trace.sh &\n./read_trace.sh &\n./read_trace.sh &\n./read_trace.sh &\n./read_trace.sh &\n```\n2:\n------------[ cut here ]------------\nWARNING: CPU: 9 PID: 62 at kernel/trace/ring_buffer.c:2653\nrb_move_tail+0x450/0x470\nModules linked in:\nCPU: 9 PID: 62 Comm: ksoftirqd/9 Tainted: G        W          6.2.0-rc6+\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:rb_move_tail+0x450/0x470\nCode: ff ff 4c 89 c8 f0 4d 0f b1 02 48 89 c2 48 83 e2 fc 49 39 d0 75 24\n83 e0 03 83 f8 02 0f 84 e1 fb ff ff 48 8b 57 10 f0 ff 42 08 <0f> 0b 83\nf8 02 0f 84 ce fb ff ff e9 db\nRSP: 0018:ffffb5564089bd00 EFLAGS: 00000203\nRAX: 0000000000000000 RBX: ffff9db385a2bf81 RCX: ffffb5564089bd18\nRDX: ffff9db281110100 RSI: 0000000000000fe4 RDI: ffff9db380145400\nRBP: ffff9db385a2bf80 R08: ffff9db385a2bfc0 R09: ffff9db385a2bfc2\nR10: ffff9db385a6c000 R11: ffff9db385a2bf80 R12: 0000000000000000\nR13: 00000000000003e8 R14: ffff9db281110100 R15: ffffffffbb006108\nFS:  0000000000000000(0000) GS:ffff9db3bdcc0000(0000)\nknlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005602323024c8 CR3: 0000000022e0c000 CR4: 00000000000006e0\nCall Trace:\n<TASK>\nring_buffer_lock_reserve+0x136/0x360\n? __do_softirq+0x287/0x2df\n? __pfx_rcu_softirq_qs+0x10/0x10\ntrace_function+0x21/0x110\n? __pfx_rcu_softirq_qs+0x10/0x10\n? __do_softirq+0x287/0x2df\nfunction_trace_call+0xf6/0x120\n0xffffffffc038f097\n? rcu_softirq_qs+0x5/0x140\nrcu_softirq_qs+0x5/0x140\n__do_softirq+0x287/0x2df\nrun_ksoftirqd+0x2a/0x30\nsmpboot_thread_fn+0x188/0x220\n? __pfx_smpboot_thread_fn+0x10/0x10\nkthread+0xe7/0x110\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x2c/0x50\n</TASK>\n---[ end trace 0000000000000000 ]---\n[ crash report and test reproducer credit goes to Zheng Yejian]" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53709\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53709\nhttps://lore.kernel.org/linux-cve-announce/2025102212-CVE-2023-53709-553a@gregkh/T" ],
  "name" : "CVE-2023-53709",
  "csaw" : false
}