DEBIAN-CVE-2023-53665

In the Linux kernel, the following vulnerability has been resolved: md: don't dereference mddev after exportrdev() Except for initial reference, mddev->kobject is referenced by rdev->kobject, and if the last rdev is freed, there is no guarantee that mddev is still valid. Hence mddev should not be used anymore after exportrdev(). This problem can be triggered by following test for mdadm at very low rate: New file: mdadm/tests/23rdev-lifetime devname=${dev0##*/} devt=cat /sys/block/$devname/dev pid="" runtime=2 cleanuptest() { pill -9 $pid echo clear > /sys/block/md0/md/arraystate } trap 'cleanuptest' EXIT addbysysfs() { while true; do echo $devt > /sys/block/md0/md/newdev done } removebysysfs(){ while true; do echo remove > /sys/block/md0/md/dev-${devname}/state done } echo md0 > /sys/module/mdmod/parameters/newarray || die "create md0 failed" addbysysfs & pid="$pid $!" removebysysfs & pid="$pid $!" sleep $runtime exit 0 Test cmd: ./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime Test result: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bcb: 0000 [#4] PREEMPT SMP CPU: 0 PID: 1292 Comm: test Tainted: G D W 6.5.0-rc2-00121-g01e55c376936 #562 RIP: 0010:mdwakeupthread+0x9e/0x320 [mdmod] Call Trace: <TASK> mddevunlock+0x1b6/0x310 [mdmod] rdevattrstore+0xec/0x190 [mdmod] sysfskfwrite+0x52/0x70 kernfsfopwriteiter+0x19a/0x2a0 vfswrite+0x3b5/0x770 ksyswrite+0x74/0x150 _x64syswrite+0x22/0x30 dosyscall64+0x40/0x90 entrySYSCALL64afterhwframe+0x63/0xcd Fix this problem by don't dereference mddev after export_rdev().