CVE-2023-53447: f2fs: don't reset unchangable mount option in f2fs_remount()
In the Linux kernel, the following vulnerability has been resolved:
f2fs: don't reset unchangable mount option in f2fs_remount()
syzbot reports a bug as below:
general protection fault, probably for non-canonical address 0xdffffc0000000009: 0000 [#1] PREEMPT SMP KASAN
RIP: 0010:__lock_acquire+0x69/0x2000 kernel/locking/lockdep.c:4942
Call Trace:
lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5691
__raw_write_lock include/linux/rwlock_api_smp.h:209 [inline]
_raw_write_lock+0x2e/0x40 kernel/locking/spinlock.c:300
__drop_extent_tree+0x3ac/0x660 fs/f2fs/extent_cache.c:1100
f2fs_drop_extent_tree+0x17/0x30 fs/f2fs/extent_cache.c:1116
f2fs_insert_range+0x2d5/0x3c0 fs/f2fs/file.c:1664
f2fs_fallocate+0x4e4/0x6d0 fs/f2fs/file.c:1838
vfs_fallocate+0x54b/0x6b0 fs/open.c:324
ksys_fallocate fs/open.c:347 [inline]
__do_sys_fallocate fs/open.c:355 [inline]
__se_sys_fallocate fs/open.c:353 [inline]
__x64_sys_fallocate+0xbd/0x100 fs/open.c:353
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The root cause is race condition as below:
- since it tries to remount rw filesystem, so that do_remount won't
call sb_prepare_remount_readonly to block fallocate, there may be race
condition in between remount and fallocate.
- in f2fs_remount(), default_options() will reset mount option to default
one, and then update it based on result of parse_options(), so there is
a hole which race condition can happen.
Thread A Thread B
- f2fs_fill_super
- parse_options
- clear_opt(READ_EXTENT_CACHE)
- f2fs_remount
- default_options
- set_opt(READ_EXTENT_CACHE)
- f2fs_fallocate
- f2fs_insert_range
- f2fs_drop_extent_tree
- __drop_extent_tree
- __may_extent_tree
- test_opt(READ_EXTENT_CACHE) return true
- write_lock(&et->lock) access NULL pointer
- parse_options
- clear_opt(READ_EXTENT_CACHE)
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel F2FS filesystem bug that can crash a vulnerable system under a specific local race condition during remount and file allocation activity. The known impact is availability, not data theft or privilege escalation. It matters most on systems that use F2FS and allow local users or services to exercise filesystem operations.
Executive priority
Treat this as a targeted availability risk, not a broad remote compromise. Patch through normal kernel maintenance, accelerating for F2FS systems with untrusted local users or workloads. No source provided evidence of active exploitation, but kernel crashes can still affect service reliability.
Technical view
CVE-2023-53447 is a CWE-362 race in f2fs_remount(). default_options() can temporarily reset READ_EXTENT_CACHE during remount, while concurrent fallocate paths may observe the wrong option state and dereference a NULL extent tree lock. The CVSS vector is local, high complexity, low privileges, no user interaction, availability-high impact.
Likely exposure
Exposure is likely limited to Linux systems running affected kernel versions with F2FS in use. Internet-facing exposure is not indicated by the sources. Systems with local multi-user access, containers, mobile/embedded deployments, or services handling untrusted local workloads deserve priority review.
Exploitation context
The CVE record cites a syzbot crash report and a race condition. The source bundle does not show CISA KEV listing or public active exploitation. Exploitation would require local conditions and timing, with the documented outcome being kernel crash or availability loss.
Researcher notes
The root issue is an inconsistent mount option window during f2fs_remount(). A concurrent fallocate path can see READ_EXTENT_CACHE as enabled and touch an uninitialized extent tree. The evidence is source-level kernel analysis plus syzbot crash context; product impact beyond Linux F2FS is not supported.
Mitigation direction
Apply a kernel update containing the referenced stable F2FS fixes.
Check distribution advisories for backported fixes for CVE-2023-53447.
Prioritize patching systems using F2FS with local multi-user or untrusted workloads.
If patching is delayed, review vendor guidance for supported temporary controls.
Avoid assuming filesystem-level workarounds unless confirmed by the kernel or distribution vendor.
Validation and detection
Inventory systems running Linux kernels in the affected range from the CVE record.
Confirm whether F2FS support is enabled and F2FS filesystems are mounted.
Verify installed kernel packages include the referenced stable commits or vendor backports.
Review vulnerability scanner results against vendor kernel package metadata.
Check operational logs for unexplained kernel crashes involving F2FS paths.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-362: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-362 · source CWE mapping
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.