CVE-2026-53125 (GCVE-0-2026-53125)

Vulnerability from cvelistv5 – Published: 2026-06-24 16:30 – Updated: 2026-06-24 16:30
VLAI
Title
md: fix array_state=clear sysfs deadlock
Summary
In the Linux kernel, the following vulnerability has been resolved: md: fix array_state=clear sysfs deadlock When "clear" is written to array_state, md_attr_store() breaks sysfs active protection so the array can delete itself from its own sysfs store method. However, md_attr_store() currently drops the mddev reference before calling sysfs_unbreak_active_protection(). Once do_md_stop(..., 0) has made the mddev eligible for delayed deletion, the temporary kobject reference taken by sysfs_break_active_protection() can become the last kobject reference protecting the md kobject. That allows sysfs_unbreak_active_protection() to drop the last kobject reference from the current sysfs writer context. kobject teardown then recurses into kernfs removal while the current sysfs node is still being unwound, and lockdep reports recursive locking on kn->active with kernfs_drain() in the call chain. Reproducer on an existing level: 1. Create an md0 linear array and activate it: mknod /dev/md0 b 9 0 echo none > /sys/block/md0/md/metadata_version echo linear > /sys/block/md0/md/level echo 1 > /sys/block/md0/md/raid_disks echo "$(cat /sys/class/block/sdb/dev)" > /sys/block/md0/md/new_dev echo "$(($(cat /sys/class/block/sdb/size) / 2))" > \ /sys/block/md0/md/dev-sdb/size echo 0 > /sys/block/md0/md/dev-sdb/slot echo active > /sys/block/md0/md/array_state 2. Wait briefly for the array to settle, then clear it: sleep 2 echo clear > /sys/block/md0/md/array_state The warning looks like: WARNING: possible recursive locking detected bash/588 is trying to acquire lock: (kn->active#65) at __kernfs_remove+0x157/0x1d0 but task is already holding lock: (kn->active#65) at sysfs_unbreak_active_protection+0x1f/0x40 ... Call Trace: kernfs_drain __kernfs_remove kernfs_remove_by_name_ns sysfs_remove_group sysfs_remove_groups __kobject_del kobject_put md_attr_store kernfs_fop_write_iter vfs_write ksys_write Restore active protection before mddev_put() so the extra sysfs kobject reference is dropped while the mddev is still held alive. The actual md kobject deletion is then deferred until after the sysfs write path has fully returned.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 9e59d609763f70a992a8f3808dabcce60f14eb5c , < 62c44566da7493ee48ef17e8507bb798338a07cb (git)
Affected: 9e59d609763f70a992a8f3808dabcce60f14eb5c , < 92ad0ec509ffb188d8f849b63148664df37b4a52 (git)
Affected: 9e59d609763f70a992a8f3808dabcce60f14eb5c , < 2aa72276fab9851dbd59c2daeb4b590c5a113908 (git)
Create a notification for this product.
Linux Linux Affected: 6.17
Unaffected: 0 , < 6.17 (semver)
Unaffected: 6.18.33 , ≤ 6.18.* (semver)
Unaffected: 7.0.10 , ≤ 7.0.* (semver)
Unaffected: 7.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/md.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "62c44566da7493ee48ef17e8507bb798338a07cb",
              "status": "affected",
              "version": "9e59d609763f70a992a8f3808dabcce60f14eb5c",
              "versionType": "git"
            },
            {
              "lessThan": "92ad0ec509ffb188d8f849b63148664df37b4a52",
              "status": "affected",
              "version": "9e59d609763f70a992a8f3808dabcce60f14eb5c",
              "versionType": "git"
            },
            {
              "lessThan": "2aa72276fab9851dbd59c2daeb4b590c5a113908",
              "status": "affected",
              "version": "9e59d609763f70a992a8f3808dabcce60f14eb5c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/md.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.17"
            },
            {
              "lessThan": "6.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix array_state=clear sysfs deadlock\n\nWhen \"clear\" is written to array_state, md_attr_store() breaks sysfs\nactive protection so the array can delete itself from its own sysfs\nstore method.\n\nHowever, md_attr_store() currently drops the mddev reference before\ncalling sysfs_unbreak_active_protection(). Once do_md_stop(..., 0)\nhas made the mddev eligible for delayed deletion, the temporary\nkobject reference taken by sysfs_break_active_protection() can become\nthe last kobject reference protecting the md kobject.\n\nThat allows sysfs_unbreak_active_protection() to drop the last\nkobject reference from the current sysfs writer context. kobject\nteardown then recurses into kernfs removal while the current sysfs\nnode is still being unwound, and lockdep reports recursive locking on\nkn-\u003eactive with kernfs_drain() in the call chain.\n\nReproducer on an existing level:\n1. Create an md0 linear array and activate it:\n   mknod /dev/md0 b 9 0\n   echo none \u003e /sys/block/md0/md/metadata_version\n   echo linear \u003e /sys/block/md0/md/level\n   echo 1 \u003e /sys/block/md0/md/raid_disks\n   echo \"$(cat /sys/class/block/sdb/dev)\" \u003e /sys/block/md0/md/new_dev\n   echo \"$(($(cat /sys/class/block/sdb/size) / 2))\" \u003e \\\n\t/sys/block/md0/md/dev-sdb/size\n   echo 0 \u003e /sys/block/md0/md/dev-sdb/slot\n   echo active \u003e /sys/block/md0/md/array_state\n2. Wait briefly for the array to settle, then clear it:\n   sleep 2\n   echo clear \u003e /sys/block/md0/md/array_state\n\nThe warning looks like:\n\n  WARNING: possible recursive locking detected\n  bash/588 is trying to acquire lock:\n  (kn-\u003eactive#65) at __kernfs_remove+0x157/0x1d0\n  but task is already holding lock:\n  (kn-\u003eactive#65) at sysfs_unbreak_active_protection+0x1f/0x40\n  ...\n  Call Trace:\n   kernfs_drain\n   __kernfs_remove\n   kernfs_remove_by_name_ns\n   sysfs_remove_group\n   sysfs_remove_groups\n   __kobject_del\n   kobject_put\n   md_attr_store\n   kernfs_fop_write_iter\n   vfs_write\n   ksys_write\n\nRestore active protection before mddev_put() so the extra sysfs\nkobject reference is dropped while the mddev is still held alive. The\nactual md kobject deletion is then deferred until after the sysfs\nwrite path has fully returned."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T16:30:53.934Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/62c44566da7493ee48ef17e8507bb798338a07cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/92ad0ec509ffb188d8f849b63148664df37b4a52"
        },
        {
          "url": "https://git.kernel.org/stable/c/2aa72276fab9851dbd59c2daeb4b590c5a113908"
        }
      ],
      "title": "md: fix array_state=clear sysfs deadlock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-53125",
    "datePublished": "2026-06-24T16:30:53.934Z",
    "dateReserved": "2026-06-09T07:44:35.386Z",
    "dateUpdated": "2026-06-24T16:30:53.934Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.