CVE-2023-53511
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-01

Last updated on: 2026-04-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix fget leak when fs don't support nowait buffered read Heming reported a BUG when using io_uring doing link-cp on ocfs2. [1] Do the following steps can reproduce this BUG: mount -t ocfs2 /dev/vdc /mnt/ocfs2 cp testfile /mnt/ocfs2/ ./link-cp /mnt/ocfs2/testfile /mnt/ocfs2/testfile.1 umount /mnt/ocfs2 Then umount will fail, and it outputs: umount: /mnt/ocfs2: target is busy. While tracing umount, it blames mnt_get_count() not return as expected. Do a deep investigation for fget()/fput() on related code flow, I've finally found that fget() leaks since ocfs2 doesn't support nowait buffered read. io_issue_sqe |-io_assign_file // do fget() first |-io_read |-io_iter_do_read |-ocfs2_file_read_iter // return -EOPNOTSUPP |-kiocb_done |-io_rw_done |-__io_complete_rw_common // set REQ_F_REISSUE |-io_resubmit_prep |-io_req_prep_async // override req->file, leak happens This was introduced by commit a196c78b5443 in v5.18. Fix it by don't re-assign req->file if it has already been assigned. [1] https://lore.kernel.org/ocfs2-devel/[email protected]/T/#t
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-01
Last Modified
2026-04-06
Generated
2026-05-07
AI Q&A
2025-10-01
EPSS Evaluated
2026-05-05
NVD
CVE-2023-53511
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux kernel 5.18
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a bug in the Linux kernel's io_uring subsystem related to file descriptor management. Specifically, when using io_uring with the ocfs2 filesystem, a file descriptor leak occurs because the filesystem does not support nowait buffered reads. This leak happens due to improper reassignment of a file pointer in the io_uring code, which causes the umount operation to fail with a 'target is busy' error. The issue was introduced in kernel version 5.18 and fixed by preventing reassignment of the file pointer if it has already been assigned.


How can this vulnerability impact me? :

This vulnerability can cause the umount operation to fail on ocfs2 filesystems when using io_uring, resulting in the filesystem being reported as busy and not unmountable. This can lead to resource leaks and potentially impact system stability or maintenance operations that require unmounting the filesystem.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by reproducing the described BUG scenario involving io_uring and ocfs2. You can run the following commands to check for the issue: 1. mount -t ocfs2 /dev/vdc /mnt/ocfs2 2. cp testfile /mnt/ocfs2/ 3. ./link-cp /mnt/ocfs2/testfile /mnt/ocfs2/testfile.1 4. umount /mnt/ocfs2 If the umount command fails with the message 'umount: /mnt/ocfs2: target is busy', it indicates the presence of the vulnerability due to the fget leak in io_uring when ocfs2 doesn't support nowait buffered read.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability was fixed by a kernel patch that prevents re-assigning req->file if it has already been assigned, addressing the fget leak. Immediate mitigation steps include updating the Linux kernel to a version that includes this fix (post commit a196c78b5443 in v5.18). Until then, avoid using io_uring with ocfs2 on affected kernel versions to prevent triggering the bug.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart