CVE-2026-53125
- Source
- https://cve.org/CVERecord?id=CVE-2026-53125
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-53125.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-53125
- Downstream
- Published
- 2026-06-24T16:30:53.934Z
- Modified
- 2026-06-25T04:05:21.113336549Z
- Summary
- md: fix array_state=clear sysfs deadlock
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
md: fix array_state=clear sysfs deadlock
When "clear" is written to arraystate, mdattr_store() breaks sysfs active protection so the array can delete itself from its own sysfs store method.
However, mdattrstore() currently drops the mddev reference before calling sysfsunbreakactiveprotection(). Once domdstop(..., 0) has made the mddev eligible for delayed deletion, the temporary kobject reference taken by sysfsbreakactiveprotection() can become the last kobject reference protecting the md kobject.
That allows sysfsunbreakactiveprotection() to drop the last kobject reference from the current sysfs writer context. kobject teardown then recurses into kernfs removal while the current sysfs node is still being unwound, and lockdep reports recursive locking on kn->active with kernfsdrain() in the call chain.
Reproducer on an existing level: 1. Create an md0 linear array and activate it: mknod /dev/md0 b 9 0 echo none > /sys/block/md0/md/metadataversion echo linear > /sys/block/md0/md/level echo 1 > /sys/block/md0/md/raiddisks echo "$(cat /sys/class/block/sdb/dev)" > /sys/block/md0/md/newdev echo "$(($(cat /sys/class/block/sdb/size) / 2))" > \ /sys/block/md0/md/dev-sdb/size echo 0 > /sys/block/md0/md/dev-sdb/slot echo active > /sys/block/md0/md/arraystate 2. Wait briefly for the array to settle, then clear it: sleep 2 echo clear > /sys/block/md0/md/array_state
The warning looks like:
WARNING: possible recursive locking detected bash/588 is trying to acquire lock: (kn->active#65) at __kernfsremove+0x157/0x1d0 but task is already holding lock: (kn->active#65) at sysfsunbreak_activeprotection+0x1f/0x40 ... Call Trace: kernfsdrain __kernfsremove kernfsremove_bynamens sysfsremovegroup sysfsremovegroups _kobjectdel kobjectput mdattrstore kernfsfopwriteiter vfswrite ksyswrite
Restore active protection before mddev_put() so the extra sysfs kobject reference is dropped while the mddev is still held alive. The actual md kobject deletion is then deferred until after the sysfs write path has fully returned.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53125.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/2aa72276fab9851dbd59c2daeb4b590c5a113908
- https://git.kernel.org/stable/c/62c44566da7493ee48ef17e8507bb798338a07cb
- https://git.kernel.org/stable/c/92ad0ec509ffb188d8f849b63148664df37b4a52
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53125.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-53125