CVE-2023-53709

In the Linux kernel, the following vulnerability has been resolved:

ring-buffer: Handle race between rbmovetail and rbcheckpages

It seems a data race between ringbuffer writing and integrity check. That is, RBFLAG of headpage is been updating, while at same time RBFLAG was cleared when doing integrity check rbcheckpages():

rbcheckpages() rbhandleheadpage(): -------- -------- rbheadpagedeactivate() rbheadpagesetnormal() rbheadpage_activate()

We do intergrity test of the list to check if the list is corrupted and it is still worth doing it. So, let's refactor rbcheckpages() such that we no longer clear and set flag during the list sanity checking.

[1] and [2] are the test to reproduce and the crash report respectively.

1: ``` read_trace.sh while true; do # the "trace" file is closed after read head -1 /sys/kernel/tracing/trace > /dev/null done

``` repro.sh
  sysctl -w kernel.panic_on_warn=1
  # function tracer will writing enough data into ring_buffer
  echo function > /sys/kernel/tracing/current_tracer
  ./read_trace.sh &
  ./read_trace.sh &
  ./read_trace.sh &
  ./read_trace.sh &
  ./read_trace.sh &
  ./read_trace.sh &
  ./read_trace.sh &
  ./read_trace.sh &

2: ------------[ cut here ]------------ WARNING: CPU: 9 PID: 62 at kernel/trace/ringbuffer.c:2653 rbmovetail+0x450/0x470 Modules linked in: CPU: 9 PID: 62 Comm: ksoftirqd/9 Tainted: G W 6.2.0-rc6+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:rbmovetail+0x450/0x470 Code: ff ff 4c 89 c8 f0 4d 0f b1 02 48 89 c2 48 83 e2 fc 49 39 d0 75 24 83 e0 03 83 f8 02 0f 84 e1 fb ff ff 48 8b 57 10 f0 ff 42 08 <0f> 0b 83 f8 02 0f 84 ce fb ff ff e9 db RSP: 0018:ffffb5564089bd00 EFLAGS: 00000203 RAX: 0000000000000000 RBX: ffff9db385a2bf81 RCX: ffffb5564089bd18 RDX: ffff9db281110100 RSI: 0000000000000fe4 RDI: ffff9db380145400 RBP: ffff9db385a2bf80 R08: ffff9db385a2bfc0 R09: ffff9db385a2bfc2 R10: ffff9db385a6c000 R11: ffff9db385a2bf80 R12: 0000000000000000 R13: 00000000000003e8 R14: ffff9db281110100 R15: ffffffffbb006108 FS: 0000000000000000(0000) GS:ffff9db3bdcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005602323024c8 CR3: 0000000022e0c000 CR4: 00000000000006e0 Call Trace: <TASK> ringbufferlockreserve+0x136/0x360 ? __do_softirq+0x287/0x2df ? __pfxrcusoftirqqs+0x10/0x10 tracefunction+0x21/0x110 ? __pfxrcusoftirq_qs+0x10/0x10 ? __dosoftirq+0x287/0x2df functiontracecall+0xf6/0x120 0xffffffffc038f097 ? rcusoftirqqs+0x5/0x140 rcusoftirq_qs+0x5/0x140 __dosoftirq+0x287/0x2df runksoftirqd+0x2a/0x30 smpbootthreadfn+0x188/0x220 ? __pfxsmpbootthread_fn+0x10/0x10 kthread+0xe7/0x110 ? _pfxkthread+0x10/0x10 retfromfork+0x2c/0x50 </TASK> ---[ end trace 0000000000000000 ]---

[ crash report and test reproducer credit goes to Zheng Yejian]