{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-53247","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-09-15T14:19:21.848Z","datePublished":"2025-09-15T14:46:17.344Z","dateUpdated":"2026-05-11T19:41:05.419Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:41:05.419Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand\n\nWhile trying to get the subpage blocksize tests running, I hit the\nfollowing panic on generic/476\n\n  assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229\n  kernel BUG at fs/btrfs/subpage.c:229!\n  Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n  CPU: 1 PID: 1453 Comm: fsstress Not tainted 6.4.0-rc7+ #12\n  Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20230301gitf80f052277c8-26.fc38 03/01/2023\n  pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n  pc : btrfs_subpage_assert+0xbc/0xf0\n  lr : btrfs_subpage_assert+0xbc/0xf0\n  Call trace:\n   btrfs_subpage_assert+0xbc/0xf0\n   btrfs_subpage_clear_checked+0x38/0xc0\n   btrfs_page_clear_checked+0x48/0x98\n   btrfs_truncate_block+0x5d0/0x6a8\n   btrfs_cont_expand+0x5c/0x528\n   btrfs_write_check.isra.0+0xf8/0x150\n   btrfs_buffered_write+0xb4/0x760\n   btrfs_do_write_iter+0x2f8/0x4b0\n   btrfs_file_write_iter+0x1c/0x30\n   do_iter_readv_writev+0xc8/0x158\n   do_iter_write+0x9c/0x210\n   vfs_iter_write+0x24/0x40\n   iter_file_splice_write+0x224/0x390\n   direct_splice_actor+0x38/0x68\n   splice_direct_to_actor+0x12c/0x260\n   do_splice_direct+0x90/0xe8\n   generic_copy_file_range+0x50/0x90\n   vfs_copy_file_range+0x29c/0x470\n   __arm64_sys_copy_file_range+0xcc/0x498\n   invoke_syscall.constprop.0+0x80/0xd8\n   do_el0_svc+0x6c/0x168\n   el0_svc+0x50/0x1b0\n   el0t_64_sync_handler+0x114/0x120\n   el0t_64_sync+0x194/0x198\n\nThis happens because during btrfs_cont_expand we'll get a page, set it\nas mapped, and if it's not Uptodate we'll read it.  However between the\nread and re-locking the page we could have called release_folio() on the\npage, but left the page in the file mapping.  release_folio() can clear\nthe page private, and thus further down we blow up when we go to modify\nthe subpage bits.\n\nFix this by putting the set_page_extent_mapped() after the read.  This\nis safe because read_folio() will call set_page_extent_mapped() before\nit does the read, and then if we clear page private but leave it on the\nmapping we're completely safe re-setting set_page_extent_mapped().  With\nthis patch I can now run generic/476 without panicing."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/inode.c"],"versions":[{"version":"32443de3382be98c0a8b8f6f50d23da2e10c4117","lessThan":"0a5e0bc8e8618e32a6ca64450867628eb0a627bf","status":"affected","versionType":"git"},{"version":"32443de3382be98c0a8b8f6f50d23da2e10c4117","lessThan":"a5880e69cf7fe4a0bb1eabae02205352d1b59b7b","status":"affected","versionType":"git"},{"version":"32443de3382be98c0a8b8f6f50d23da2e10c4117","lessThan":"17b17fcd6d446b95904a6929c40012ee7f0afc0c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/inode.c"],"versions":[{"version":"5.12","status":"affected"},{"version":"0","lessThan":"5.12","status":"unaffected","versionType":"semver"},{"version":"6.1.42","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.4.7","lessThanOrEqual":"6.4.*","status":"unaffected","versionType":"semver"},{"version":"6.5","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"6.1.42"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"6.4.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"6.5"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0a5e0bc8e8618e32a6ca64450867628eb0a627bf"},{"url":"https://git.kernel.org/stable/c/a5880e69cf7fe4a0bb1eabae02205352d1b59b7b"},{"url":"https://git.kernel.org/stable/c/17b17fcd6d446b95904a6929c40012ee7f0afc0c"}],"title":"btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"id":"CVE-2023-53247","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2026-01-14T17:59:15.309160Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-617","description":"CWE-617 Reachable Assertion"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-14T18:02:51.484Z"}}]}}