CVE-2023-53665
- Source
- https://cve.org/CVERecord?id=CVE-2023-53665
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53665.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-53665
- Downstream
- Related
- Published
- 2025-10-07T15:21:23.808Z
- Modified
- 2026-02-20T13:54:21.862830Z
- Summary
- md: don't dereference mddev after export_rdev()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
md: don't dereference mddev after export_rdev()
Except for initial reference, mddev->kobject is referenced by rdev->kobject, and if the last rdev is freed, there is no guarantee that mddev is still valid. Hence mddev should not be used anymore after export_rdev().
This problem can be triggered by following test for mdadm at very low rate:
New file: mdadm/tests/23rdev-lifetime
devname=${dev0##*/} devt=
cat /sys/block/$devname/devpid="" runtime=2cleanuptest() { pill -9 $pid echo clear > /sys/block/md0/md/array_state }
trap 'cleanuptest' EXIT
addbysysfs() { while true; do echo $devt > /sys/block/md0/md/new_dev done }
removebysysfs(){ while true; do echo remove > /sys/block/md0/md/dev-${devname}/state done }
echo md0 > /sys/module/mdmod/parameters/newarray || die "create md0 failed"
addbysysfs & pid="$pid $!"
removebysysfs & pid="$pid $!"
sleep $runtime exit 0
Test cmd:
./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime
Test result:
general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bcb: 0000 [#4] PREEMPT SMP CPU: 0 PID: 1292 Comm: test Tainted: G D W 6.5.0-rc2-00121-g01e55c376936 #562 RIP: 0010:mdwakeupthread+0x9e/0x320 [mdmod] Call Trace: <TASK> mddevunlock+0x1b6/0x310 [mdmod] rdevattrstore+0xec/0x190 [mdmod] sysfskfwrite+0x52/0x70 kernfsfopwriteiter+0x19a/0x2a0 vfswrite+0x3b5/0x770 ksyswrite+0x74/0x150 _x64syswrite+0x22/0x30 dosyscall64+0x40/0x90 entrySYSCALL64afterhwframe+0x63/0xcd
Fix this problem by don't dereference mddev after export_rdev().
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53665.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/7deac114be5fb25a4e865212ed0feaf5f85f2a28
- https://git.kernel.org/stable/c/ad430ad0669d2757377373390d68e1454fc7a344
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53665.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-53665
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3ce94ce5d05ae89190a23f6187f64d8f4b2d3782Fixedad430ad0669d2757377373390d68e1454fc7a344Fixed7deac114be5fb25a4e865212ed0feaf5f85f2a28
Affected versions
v6.*
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53665.json"
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ad430ad0669d2757377373390d68e1454fc7a344",
"signature_type": "Line",
"digest": {
"line_hashes": [
"144584885617495509648785784660420203871",
"252906130527642134322606099364035298926",
"71656540064801524008852764464308163032",
"153563116538690863009898030407879836848",
"298703790911235061980563662629725151460",
"83733569671303354426566063658484429389",
"213808633490132001701739464022435822188",
"16575422887545803323601083756271551072",
"324039834279588800905646018247402267682",
"260783368088836480787798969868091827900"
],
"threshold": 0.9
},
"deprecated": false,
"target": {
"file": "drivers/md/md.c"
},
"id": "CVE-2023-53665-1219494f",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7deac114be5fb25a4e865212ed0feaf5f85f2a28",
"signature_type": "Function",
"digest": {
"function_hash": "41691973522706903496236977035022284",
"length": 1164.0
},
"deprecated": false,
"target": {
"file": "drivers/md/md.c",
"function": "mddev_unlock"
},
"id": "CVE-2023-53665-13a69691",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7deac114be5fb25a4e865212ed0feaf5f85f2a28",
"signature_type": "Line",
"digest": {
"line_hashes": [
"144584885617495509648785784660420203871",
"252906130527642134322606099364035298926",
"71656540064801524008852764464308163032",
"153563116538690863009898030407879836848",
"298703790911235061980563662629725151460",
"83733569671303354426566063658484429389",
"213808633490132001701739464022435822188",
"16575422887545803323601083756271551072",
"324039834279588800905646018247402267682",
"260783368088836480787798969868091827900"
],
"threshold": 0.9
},
"deprecated": false,
"target": {
"file": "drivers/md/md.c"
},
"id": "CVE-2023-53665-2a4e2c51",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ad430ad0669d2757377373390d68e1454fc7a344",
"signature_type": "Function",
"digest": {
"function_hash": "41691973522706903496236977035022284",
"length": 1164.0
},
"deprecated": false,
"target": {
"file": "drivers/md/md.c",
"function": "mddev_unlock"
},
"id": "CVE-2023-53665-9c9fbff4",
"signature_version": "v1"
}
]