CVE-2023-54211
Unknown Unknown - Not Provided
Use-After-Free Warning in Linux Kernel Ftrace Event Handling

Publication date: 2025-12-30

Last updated on: 2025-12-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix warning in trace_buffered_event_disable() Warning happened in trace_buffered_event_disable() at WARN_ON_ONCE(!trace_buffered_event_ref) Call Trace: ? __warn+0xa5/0x1b0 ? trace_buffered_event_disable+0x189/0x1b0 __ftrace_event_enable_disable+0x19e/0x3e0 free_probe_data+0x3b/0xa0 unregister_ftrace_function_probe_func+0x6b8/0x800 event_enable_func+0x2f0/0x3d0 ftrace_process_regex.isra.0+0x12d/0x1b0 ftrace_filter_write+0xe6/0x140 vfs_write+0x1c9/0x6f0 [...] The cause of the warning is in __ftrace_event_enable_disable(), trace_buffered_event_enable() was called once while trace_buffered_event_disable() was called twice. Reproduction script show as below, for analysis, see the comments: ``` #!/bin/bash cd /sys/kernel/tracing/ # 1. Register a 'disable_event' command, then: # 1) SOFT_DISABLED_BIT was set; # 2) trace_buffered_event_enable() was called first time; echo 'cmdline_proc_show:disable_event:initcall:initcall_finish' > \ set_ftrace_filter # 2. Enable the event registered, then: # 1) SOFT_DISABLED_BIT was cleared; # 2) trace_buffered_event_disable() was called first time; echo 1 > events/initcall/initcall_finish/enable # 3. Try to call into cmdline_proc_show(), then SOFT_DISABLED_BIT was # set again!!! cat /proc/cmdline # 4. Unregister the 'disable_event' command, then: # 1) SOFT_DISABLED_BIT was cleared again; # 2) trace_buffered_event_disable() was called second time!!! echo '!cmdline_proc_show:disable_event:initcall:initcall_finish' > \ set_ftrace_filter ``` To fix it, IIUC, we can change to call trace_buffered_event_enable() at fist time soft-mode enabled, and call trace_buffered_event_disable() at last time soft-mode disabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2025-12-30
Generated
2026-05-07
AI Q&A
2025-12-30
EPSS Evaluated
2026-05-05
NVD
CVE-2023-54211
EUVD
EUVD-2023-60430
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a warning issue in the Linux kernel's tracing subsystem, specifically in the function trace_buffered_event_disable(). The problem occurs because trace_buffered_event_enable() is called once, but trace_buffered_event_disable() is called twice, causing a warning (WARN_ON_ONCE) due to an unexpected state. This happens when enabling and disabling certain trace events in a specific sequence, leading to inconsistent internal state management. The fix involves ensuring that trace_buffered_event_enable() is called only once when soft-mode is enabled and trace_buffered_event_disable() is called only once when soft-mode is disabled.


How can this vulnerability impact me? :

The vulnerability causes a warning in the kernel tracing system due to improper enable/disable calls, which could lead to unstable or unexpected behavior in kernel tracing features. However, there is no indication that this leads to security breaches or system compromise. The impact is primarily related to kernel tracing reliability and stability rather than direct security risks.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by reproducing the warning condition in the Linux kernel tracing subsystem. You can use the following commands to test for the issue: 1. Change directory to the tracing filesystem: cd /sys/kernel/tracing/ 2. Register a disable_event command: echo 'cmdline_proc_show:disable_event:initcall:initcall_finish' > set_ftrace_filter 3. Enable the event: echo 1 > events/initcall/initcall_finish/enable 4. Trigger the event by reading /proc/cmdline: cat /proc/cmdline 5. Unregister the disable_event command: echo '!cmdline_proc_show:disable_event:initcall:initcall_finish' > set_ftrace_filter If the warning occurs during these steps, the vulnerability is present.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version where the fix has been applied. The fix involves changing the calls so that trace_buffered_event_enable() is called only the first time soft-mode is enabled, and trace_buffered_event_disable() is called only the last time soft-mode is disabled. Until an updated kernel is applied, avoid using the affected tracing features that trigger this warning.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart