CVE-2023-54211
Description
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix warning in trace_buffered_event_disable()
Warning happened in trace_buffered_event_disable() at WARN_ON_ONCE(!trace_buffered_event_ref)
Call Trace: ? __warn+0xa5/0x1b0 ? trace_buffered_event_disable+0x189/0x1b0 __ftrace_event_enable_disable+0x19e/0x3e0 free_probe_data+0x3b/0xa0 unregister_ftrace_function_probe_func+0x6b8/0x800 event_enable_func+0x2f0/0x3d0 ftrace_process_regex.isra.0+0x12d/0x1b0 ftrace_filter_write+0xe6/0x140 vfs_write+0x1c9/0x6f0 [...]
The cause of the warning is in __ftrace_event_enable_disable(), trace_buffered_event_enable() was called once while trace_buffered_event_disable() was called twice. Reproduction script show as below, for analysis, see the comments: `` #!/bin/bash cd /sys/kernel/tracing/ # 1. Register a 'disable_event' command, then: # 1) SOFT_DISABLED_BIT was set; # 2) trace_buffered_event_enable() was called first time; echo 'cmdline_proc_show:disable_event:initcall:initcall_finish' > \ set_ftrace_filter # 2. Enable the event registered, then: # 1) SOFT_DISABLED_BIT was cleared; # 2) trace_buffered_event_disable() was called first time; echo 1 > events/initcall/initcall_finish/enable # 3. Try to call into cmdline_proc_show(), then SOFT_DISABLED_BIT was # set again!!! cat /proc/cmdline # 4. Unregister the 'disable_event' command, then: # 1) SOFT_DISABLED_BIT was cleared again; # 2) trace_buffered_event_disable() was called second time!!! echo '!cmdline_proc_show:disable_event:initcall:initcall_finish' > \ set_ftrace_filter ``
To fix it, IIUC, we can change to call trace_buffered_event_enable() at fist time soft-mode enabled, and call trace_buffered_event_disable() at last time soft-mode disabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Linux kernel tracing bug causes a warning when trace_buffered_event_disable() is called twice due to improper soft-mode enable/disable accounting.
Vulnerability
Overview
CVE-2023-54211 is a bug in the Linux kernel's tracing subsystem that triggers a warning in trace_buffered_event_disable(). The root cause is an accounting mismatch: trace_buffered_event_enable() is called once, but trace_buffered_event_disable() is called twice for the same event, leading to a WARN_ON_ONCE(!trace_buffered_event_ref) [1]. This occurs because the soft-mode enable/disable logic does not properly track the number of times the buffered event is enabled or disabled.
Exploitation
Scenario
The vulnerability can be triggered by a local user with access to the ftrace interface. The provided reproduction script shows a sequence: register a disable_event command, enable the event, trigger the function (which re-sets the soft-disable bit), and then unregister the command. This sequence causes the soft-disable bit to be cleared twice, resulting in a second call to trace_buffered_event_disable() without a corresponding enable [1]. No special privileges beyond the ability to write to set_ftrace_filter are required.
Impact
An attacker who can trigger this bug will cause a kernel warning, which may lead to a denial of service (system log spam or panic depending on kernel configuration). The warning itself is not exploitable for arbitrary code execution, but it indicates a kernel state inconsistency that could be leveraged in more complex attacks.
Mitigation
The fix, committed in the Linux kernel stable tree, changes the logic to call trace_buffered_event_enable() only on the first soft-mode enable and trace_buffered_event_disable() only on the last soft-mode disable [1]. Users should apply the latest kernel updates from their distribution to resolve this issue.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
81488d782c9e4b4f4ab423107cdcc35e64541a6d2fd1703cd813cede7b2f5a3a3c7bddab9528c9d731537dea499781a11Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/1488d782c9e43087a3f341b8186cd25f3cf75583nvd
- git.kernel.org/stable/c/528c9d73153754defb748f0b96ad33308668d817nvd
- git.kernel.org/stable/c/813cede7b2f5a4b1b75d2d4bb4e705cc8e063b20nvd
- git.kernel.org/stable/c/a3a3c7bddab9b6c5690b20796ef5e332b8c48afbnvd
- git.kernel.org/stable/c/a6d2fd1703cdc8ecfc3e73987e0fb7474ae2b074nvd
- git.kernel.org/stable/c/b4f4ab423107dc1ba8e9cc6488c645be6403d3f5nvd
- git.kernel.org/stable/c/cdcc35e6454133feb61561b4e0d0c80e52cbc2banvd
- git.kernel.org/stable/c/dea499781a1150d285c62b26659f62fb00824fcenvd
News mentions
0No linked articles in our index yet.