CVE-2023-54303
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Disable preemption in bpf_perf_event_output
The nesting protection in bpf_perf_event_output relies on disabled preemption, which is guaranteed for kprobes and tracepoints.
However bpf_perf_event_output can be also called from uprobes context through bpf_prog_run_array_sleepable function which disables migration, but keeps preemption enabled.
This can cause task to be preempted by another one inside the nesting protection and lead eventually to two tasks using same perf_sample_data buffer and cause crashes like:
kernel tried to execute NX-protected page - exploit attempt? (uid: 0) BUG: unable to handle page fault for address: ffffffff82be3eea ... Call Trace: ? __die+0x1f/0x70 ? page_fault_oops+0x176/0x4d0 ? exc_page_fault+0x132/0x230 ? asm_exc_page_fault+0x22/0x30 ? perf_output_sample+0x12b/0x910 ? perf_event_output+0xd0/0x1d0 ? bpf_perf_event_output+0x162/0x1d0 ? bpf_prog_c6271286d9a4c938_krava1+0x76/0x87 ? __uprobe_perf_func+0x12b/0x540 ? uprobe_dispatcher+0x2c4/0x430 ? uprobe_notify_resume+0x2da/0xce0 ? atomic_notifier_call_chain+0x7b/0x110 ? exit_to_user_mode_prepare+0x13e/0x290 ? irqentry_exit_to_user_mode+0x5/0x30 ? asm_exc_int3+0x35/0x40
Fixing this by disabling preemption in bpf_perf_event_output.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, bpf_perf_event_output lacks preemption disabling in uprobes context, causing potential data corruption and crashes.
The vulnerability exists in the Linux kernel's BPF subsystem, specifically in the bpf_perf_event_output function. The nesting protection in this function relies on disabled preemption, which is guaranteed for kprobes and tracepoints but not for uprobes. When called from uprobes context via bpf_prog_run_array_sleepable, migration is disabled but preemption remains enabled, allowing a task to be preempted within the critical section.
An attacker can exploit this by triggering a uprobe that invokes bpf_perf_event_output. Due to the missing preemption disabling, another task may use the same perf_sample_data buffer concurrently, leading to data races. This can result in kernel crashes, as evidenced by the provided call trace showing an attempt to execute NX-protected memory.
The impact includes denial of service through system crashes, and potentially more severe consequences if an attacker can manipulate the corrupted data. The crash trace indicates a page fault in perf_output_sample, which could be leveraged for privilege escalation if the attacker controls the faulty data.
A fix has been applied in the Linux kernel stable tree by disabling preemption in bpf_perf_event_output. Users are advised to update their kernels to versions containing commit a0ac32cf61e5a76e2429e486925a52ee41dd75e3 or apply the equivalent patch [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
33654ed5daf49a0ac32cf61e5f2c67a3e60d1Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.