Linux Kernel Per-CPU Buffer Swap Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's tracing subsystem. This issue arises during the swapping of per-CPU buffers, specifically when writing events to the CPU buffer and simultaneously swapping the buffer through the 'per_cpu/cpu0/snapshot' file. The vulnerability has been observed in the Linux kernel stable tree, affecting several versions and ranges. The root cause of the vulnerability is the lack of proper synchronization when swapping CPU buffers, which can lead to inconsistencies and incorrect states being reported.

Impact

Exploitation of this vulnerability causes a warning to be triggered in the kernel, indicating a problem with the 'committing' state of the CPU buffer. This warning is a result of the race condition, where the buffer swap operation interferes with the event writing process, potentially leading to missed or incorrectly processed events in the tracing system.

Reproduction

The vulnerability can be reproduced by writing to the 'per_cpu/cpu0/snapshot' file from multiple threads simultaneously. This can be done by creating a bash script that repeatedly writes to the snapshot file while also reserving events in the tracing system. The race condition will trigger a warning in the kernel, indicating the vulnerability has been successfully reproduced.

Remediation

The vulnerability has been addressed by modifying the buffer swap operation to use 'smp_call_function_single()' to perform the swap on the target CPU where the buffer is located. This change ensures that the swap operation is properly synchronized, preventing the race condition from occurring.