VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54253

CVE-2023-54253

Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: set page extent mapped after read_folio in relocate_one_page

One of the CI runs triggered the following panic

assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229 ------------[ cut here ]------------ kernel BUG at fs/btrfs/subpage.c:229! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 0 PID: 923660 Comm: btrfs Not tainted 6.5.0-rc3+ #1 pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : btrfs_subpage_assert+0xbc/0xf0 lr : btrfs_subpage_assert+0xbc/0xf0 sp : ffff800093213720 x29: ffff800093213720 x28: ffff8000932138b4 x27: 000000000c280000 x26: 00000001b5d00000 x25: 000000000c281000 x24: 000000000c281fff x23: 0000000000001000 x22: 0000000000000000 x21: ffffff42b95bf880 x20: ffff42b9528e0000 x19: 0000000000001000 x18: ffffffffffffffff x17: 667274622f736620 x16: 6e69202c65746176 x15: 0000000000000028 x14: 0000000000000003 x13: 00000000002672d7 x12: 0000000000000000 x11: ffffcd3f0ccd9204 x10: ffffcd3f0554ae50 x9 : ffffcd3f0379528c x8 : ffff800093213428 x7 : 0000000000000000 x6 : ffffcd3f091771e8 x5 : ffff42b97f333948 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff42b9556cde80 x0 : 000000000000004f Call trace: btrfs_subpage_assert+0xbc/0xf0 btrfs_subpage_set_dirty+0x38/0xa0 btrfs_page_set_dirty+0x58/0x88 relocate_one_page+0x204/0x5f0 relocate_file_extent_cluster+0x11c/0x180 relocate_data_extent+0xd0/0xf8 relocate_block_group+0x3d0/0x4e8 btrfs_relocate_block_group+0x2d8/0x490 btrfs_relocate_chunk+0x54/0x1a8 btrfs_balance+0x7f4/0x1150 btrfs_ioctl+0x10f0/0x20b8 __arm64_sys_ioctl+0x120/0x11d8 invoke_syscall.constprop.0+0x80/0xd8 do_el0_svc+0x6c/0x158 el0_svc+0x50/0x1b0 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x194/0x198 Code: 91098021 b0007fa0 91346000 97e9c6d2 (d4210000)

This is the same problem outlined in 17b17fcd6d44 ("btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand") , and the fix is the same. I originally looked for the same pattern elsewhere in our code, but mistakenly skipped over this code because I saw the page cache readahead before we set_page_extent_mapped, not realizing that this was only in the !page case, that we can still end up with a !uptodate page and then do the btrfs_read_folio further down.

The fix here is the same as the above mentioned patch, move the set_page_extent_mapped call to after the btrfs_read_folio() block to make sure that we have the subpage blocksize stuff setup properly before using the page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Btrfs kernel panic in relocate_one_page due to missing page extent mapping after read_folio, fixed by calling set_page_extent_mapped.

The vulnerability is a kernel panic in Btrfs when relocating data extents during a balance operation. The function relocate_one_page processes pages but fails to call set_page_extent_mapped after read_folio, leading to an assertion failure in btrfs_subpage_assert when btrfs_subpage_set_dirty is invoked. This results in a kernel BUG (Oops) as seen in the provided crash trace.

To trigger the issue, an attacker with local access must initiate a Btrfs balance operation (e.g., via btrfs balance command) that relocates block groups. The bug is hit when relocate_one_page encounters a page that has been read but not marked as having a valid extent mapped, likely due to specific data patterns or concurrent modifications during the relocation process.

The impact is a denial of service through a system crash, as the kernel BUG halts execution. An attacker who can trigger a Btrfs balance on a vulnerable system can cause repeated panics, potentially disrupting services.

The fix is provided in the kernel stable commit [1], which adds the missing set_page_extent_mapped call after read_folio in relocate_one_page. Users should apply this patch or update to a kernel version containing it to mitigate the vulnerability.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

3
08daa38ca212
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
9d1e020ed964
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e7f1326cc24e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.