CVE-2023-54283
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Address KCSAN report on bpf_lru_list
KCSAN reported a data-race when accessing node->ref. Although node->ref does not have to be accurate, take this chance to use a more common READ_ONCE() and WRITE_ONCE() pattern instead of data_race().
There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). This patch also adds bpf_lru_node_clear_ref() to do the WRITE_ONCE(node->ref, 0) also.
================================================================== BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem
write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: __bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] __bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] __bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] __htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 __sys_bpf+0x338/0x810 __do_sys_bpf kernel/bpf/syscall.c:5096 [inline] __se_sys_bpf kernel/bpf/syscall.c:5094 [inline] __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] __htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 __sys_bpf+0x338/0x810 __do_sys_bpf kernel/bpf/syscall.c:5096 [inline] __se_sys_bpf kernel/bpf/syscall.c:5094 [inline] __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x01 -> 0x00
Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 ==================================================================
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A data race in the Linux kernel's BPF LRU list due to unsynchronized access to node->ref was fixed using READ_ONCE/WRITE_ONCE.
A data race was reported by KCSAN in the Linux kernel's BPF LRU list implementation. The race involves unsynchronized reads and writes to the node->ref field, accessed concurrently in __bpf_lru_node_move (via __bpf_lru_list_rotate) and bpf_lru_node_set_ref (via __htab_lru_percpu_map_update_elem). The fix replaces data_race() annotations with standard READ_ONCE() and WRITE_ONCE() to guarantee defined behavior under the kernel memory model, and adds a bpf_lru_node_clear_ref() helper for explicit clearing [1].
Exploitation requires the ability to trigger concurrent BPF map update operations on a percpu hash map with LRU semantics. An attacker with privileges to perform BPF operations (such as CAP_BPF or root) can repeatedly invoke bpf_map_update_elem on a BPF LRU map, creating the necessary concurrency. The race window is narrow and depends on scheduler timing; no special network position is required.
The impact of this data race is limited to undefined behavior in the LRU list state. While the ref field influences list rotation and node eviction, the race does not directly cause memory corruption or privilege escalation. KCSAN reports such races as informational, and the actual risk is low unless cryptographic or security-sensitive operations rely on the LRU logic.
The fix was merged into the Linux kernel mainline and backported to stable kernels. Users are advised to apply the latest stable update containing commit [1] or equivalent backports. No active exploitation has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
86eaef1b1d872a89d14410ea0e09a285ea1e8b6d9a4062c94819ca25444b3c006fe361cfd6e5e83b56f50ee9fd0ac3017Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/6e5e83b56f50fbd1c8f7dca7df7d72c67be25571nvd
- git.kernel.org/stable/c/6eaef1b1d8720053eb1b6e7a3ff8b2ff0716bb90nvd
- git.kernel.org/stable/c/819ca25444b377935faa2dbb0aa3547519b5c80fnvd
- git.kernel.org/stable/c/a89d14410ea0352420f03cddc67e0002dcc8f9a5nvd
- git.kernel.org/stable/c/b6d9a4062c944ad095b34dc112bf646a84156f60nvd
- git.kernel.org/stable/c/c006fe361cfd947f51a56793deddf891e5cbfef8nvd
- git.kernel.org/stable/c/e09a285ea1e859d4cc6cb689d8d5d7c1f7c7c0d5nvd
- git.kernel.org/stable/c/ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4nvd
News mentions
0No linked articles in our index yet.