FKIE_CVE-2023-54253

Vulnerability from fkie_nvd - Published: 2025-12-30 13:16 - Updated: 2026-04-15 00:35
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: set page extent mapped after read_folio in relocate_one_page One of the CI runs triggered the following panic assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229 ------------[ cut here ]------------ kernel BUG at fs/btrfs/subpage.c:229! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 0 PID: 923660 Comm: btrfs Not tainted 6.5.0-rc3+ #1 pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : btrfs_subpage_assert+0xbc/0xf0 lr : btrfs_subpage_assert+0xbc/0xf0 sp : ffff800093213720 x29: ffff800093213720 x28: ffff8000932138b4 x27: 000000000c280000 x26: 00000001b5d00000 x25: 000000000c281000 x24: 000000000c281fff x23: 0000000000001000 x22: 0000000000000000 x21: ffffff42b95bf880 x20: ffff42b9528e0000 x19: 0000000000001000 x18: ffffffffffffffff x17: 667274622f736620 x16: 6e69202c65746176 x15: 0000000000000028 x14: 0000000000000003 x13: 00000000002672d7 x12: 0000000000000000 x11: ffffcd3f0ccd9204 x10: ffffcd3f0554ae50 x9 : ffffcd3f0379528c x8 : ffff800093213428 x7 : 0000000000000000 x6 : ffffcd3f091771e8 x5 : ffff42b97f333948 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff42b9556cde80 x0 : 000000000000004f Call trace: btrfs_subpage_assert+0xbc/0xf0 btrfs_subpage_set_dirty+0x38/0xa0 btrfs_page_set_dirty+0x58/0x88 relocate_one_page+0x204/0x5f0 relocate_file_extent_cluster+0x11c/0x180 relocate_data_extent+0xd0/0xf8 relocate_block_group+0x3d0/0x4e8 btrfs_relocate_block_group+0x2d8/0x490 btrfs_relocate_chunk+0x54/0x1a8 btrfs_balance+0x7f4/0x1150 btrfs_ioctl+0x10f0/0x20b8 __arm64_sys_ioctl+0x120/0x11d8 invoke_syscall.constprop.0+0x80/0xd8 do_el0_svc+0x6c/0x158 el0_svc+0x50/0x1b0 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x194/0x198 Code: 91098021 b0007fa0 91346000 97e9c6d2 (d4210000) This is the same problem outlined in 17b17fcd6d44 ("btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand") , and the fix is the same. I originally looked for the same pattern elsewhere in our code, but mistakenly skipped over this code because I saw the page cache readahead before we set_page_extent_mapped, not realizing that this was only in the !page case, that we can still end up with a !uptodate page and then do the btrfs_read_folio further down. The fix here is the same as the above mentioned patch, move the set_page_extent_mapped call to after the btrfs_read_folio() block to make sure that we have the subpage blocksize stuff setup properly before using the page.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/08daa38ca212d87f77beae839bc9be71079c7abf
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9d1e020ed9649cf140fcfafd052cfdcce9e9d67d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e7f1326cc24e22b38afc3acd328480a1183f9e79
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: set page extent mapped after read_folio in relocate_one_page\n\nOne of the CI runs triggered the following panic\n\n  assertion failed: PagePrivate(page) \u0026\u0026 page-\u003eprivate, in fs/btrfs/subpage.c:229\n  ------------[ cut here ]------------\n  kernel BUG at fs/btrfs/subpage.c:229!\n  Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n  CPU: 0 PID: 923660 Comm: btrfs Not tainted 6.5.0-rc3+ #1\n  pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n  pc : btrfs_subpage_assert+0xbc/0xf0\n  lr : btrfs_subpage_assert+0xbc/0xf0\n  sp : ffff800093213720\n  x29: ffff800093213720 x28: ffff8000932138b4 x27: 000000000c280000\n  x26: 00000001b5d00000 x25: 000000000c281000 x24: 000000000c281fff\n  x23: 0000000000001000 x22: 0000000000000000 x21: ffffff42b95bf880\n  x20: ffff42b9528e0000 x19: 0000000000001000 x18: ffffffffffffffff\n  x17: 667274622f736620 x16: 6e69202c65746176 x15: 0000000000000028\n  x14: 0000000000000003 x13: 00000000002672d7 x12: 0000000000000000\n  x11: ffffcd3f0ccd9204 x10: ffffcd3f0554ae50 x9 : ffffcd3f0379528c\n  x8 : ffff800093213428 x7 : 0000000000000000 x6 : ffffcd3f091771e8\n  x5 : ffff42b97f333948 x4 : 0000000000000000 x3 : 0000000000000000\n  x2 : 0000000000000000 x1 : ffff42b9556cde80 x0 : 000000000000004f\n  Call trace:\n   btrfs_subpage_assert+0xbc/0xf0\n   btrfs_subpage_set_dirty+0x38/0xa0\n   btrfs_page_set_dirty+0x58/0x88\n   relocate_one_page+0x204/0x5f0\n   relocate_file_extent_cluster+0x11c/0x180\n   relocate_data_extent+0xd0/0xf8\n   relocate_block_group+0x3d0/0x4e8\n   btrfs_relocate_block_group+0x2d8/0x490\n   btrfs_relocate_chunk+0x54/0x1a8\n   btrfs_balance+0x7f4/0x1150\n   btrfs_ioctl+0x10f0/0x20b8\n   __arm64_sys_ioctl+0x120/0x11d8\n   invoke_syscall.constprop.0+0x80/0xd8\n   do_el0_svc+0x6c/0x158\n   el0_svc+0x50/0x1b0\n   el0t_64_sync_handler+0x120/0x130\n   el0t_64_sync+0x194/0x198\n  Code: 91098021 b0007fa0 91346000 97e9c6d2 (d4210000)\n\nThis is the same problem outlined in 17b17fcd6d44 (\"btrfs:\nset_page_extent_mapped after read_folio in btrfs_cont_expand\") , and the\nfix is the same.  I originally looked for the same pattern elsewhere in\nour code, but mistakenly skipped over this code because I saw the page\ncache readahead before we set_page_extent_mapped, not realizing that\nthis was only in the !page case, that we can still end up with a\n!uptodate page and then do the btrfs_read_folio further down.\n\nThe fix here is the same as the above mentioned patch, move the\nset_page_extent_mapped call to after the btrfs_read_folio() block to\nmake sure that we have the subpage blocksize stuff setup properly before\nusing the page."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nbtrfs: establecer la extensi\u00f3n de p\u00e1gina mapeada despu\u00e9s de read_folio en relocate_one_page\n\nUna de las ejecuciones de CI desencaden\u00f3 el siguiente p\u00e1nico\n\n  aserci\u00f3n fallida: PagePrivate(page) \u0026amp;\u0026amp; page-\u0026gt;private, en fs/btrfs/subpage.c:229\n  ------------[ cortar aqu\u00ed ]------------\n  BUG del kernel en fs/btrfs/subpage.c:229!\n  Error interno: Oops - BUG: 00000000f2000800 [#1] SMP\n  CPU: 0 PID: 923660 Comm: btrfs No contaminado 6.5.0-rc3+ #1\n  pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n  pc : btrfs_subpage_assert+0xbc/0xf0\n  lr : btrfs_subpage_assert+0xbc/0xf0\n  sp : ffff800093213720\n  x29: ffff800093213720 x28: ffff8000932138b4 x27: 000000000c280000\n  x26: 00000001b5d00000 x25: 000000000c281000 x24: 000000000c281fff\n  x23: 0000000000001000 x22: 0000000000000000 x21: ffffff42b95bf880\n  x20: ffff42b9528e0000 x19: 0000000000001000 x18: ffffffffffffffff\n  x17: 667274622f736620 x16: 6e69202c65746176 x15: 0000000000000028\n  x14: 0000000000000003 x13: 00000000002672d7 x12: 0000000000000000\n  x11: ffffcd3f0ccd9204 x10: ffffcd3f0554ae50 x9 : ffffcd3f0379528c\n  x8 : ffff800093213428 x7 : 0000000000000000 x6 : ffffcd3f091771e8\n  x5 : ffff42b97f333948 x4 : 0000000000000000 x3 : 0000000000000000\n  x2 : 0000000000000000 x1 : ffff42b9556cde80 x0 : 000000000000004f\n  Traza de llamadas:\n   btrfs_subpage_assert+0xbc/0xf0\n   btrfs_subpage_set_dirty+0x38/0xa0\n   btrfs_page_set_dirty+0x58/0x88\n   relocate_one_page+0x204/0x5f0\n   relocate_file_extent_cluster+0x11c/0x180\n   relocate_data_extent+0xd0/0xf8\n   relocate_block_group+0x3d0/0x4e8\n   btrfs_relocate_block_group+0x2d8/0x490\n   btrfs_relocate_chunk+0x54/0x1a8\n   btrfs_balance+0x7f4/0x1150\n   btrfs_ioctl+0x10f0/0x20b8\n   __arm64_sys_ioctl+0x120/0x11d8\n   invoke_syscall.constprop.0+0x80/0xd8\n   do_el0_svc+0x6c/0x158\n   el0_svc+0x50/0x1b0\n   el0t_64_sync_handler+0x120/0x130\n   el0t_64_sync+0x194/0x198\n  C\u00f3digo: 91098021 b0007fa0 91346000 97e9c6d2 (d4210000)\n\nEste es el mismo problema descrito en 17b17fcd6d44 (\"btrfs: establecer la extensi\u00f3n de p\u00e1gina mapeada despu\u00e9s de read_folio en btrfs_cont_expand\"), y la soluci\u00f3n es la misma. Originalmente busqu\u00e9 el mismo patr\u00f3n en otra parte de nuestro c\u00f3digo, pero err\u00f3neamente omit\u00ed este c\u00f3digo porque vi la lectura anticipada de la cach\u00e9 de p\u00e1ginas antes de set_page_extent_mapped, sin darme cuenta de que esto era solo en el caso de !page, que a\u00fan podemos terminar con una p\u00e1gina !uptodate y luego hacer el btrfs_read_folio m\u00e1s abajo.\n\nLa soluci\u00f3n aqu\u00ed es la misma que el parche mencionado anteriormente, mover la llamada a set_page_extent_mapped a despu\u00e9s del bloque btrfs_read_folio() para asegurarnos de que tenemos la configuraci\u00f3n de los elementos de tama\u00f1o de bloque de subp\u00e1gina correctamente antes de usar la p\u00e1gina."
    }
  ],
  "id": "CVE-2023-54253",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {},
  "published": "2025-12-30T13:16:13.997",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/08daa38ca212d87f77beae839bc9be71079c7abf"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9d1e020ed9649cf140fcfafd052cfdcce9e9d67d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e7f1326cc24e22b38afc3acd328480a1183f9e79"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Deferred"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.