CVE-2023-53791 in Linuxinfo

Summary

by MITRE • 12/09/2025

In the Linux kernel, the following vulnerability has been resolved:

md: fix warning for holder mismatch from export_rdev()

Commit a1d767191096 ("md: use mddev->external to select holder in export_rdev()") fix the problem that 'claim_rdev' is used for blkdev_get_by_dev() while 'rdev' is used for blkdev_put().

However, if mddev->external is changed from 0 to 1, then 'rdev' is used for blkdev_get_by_dev() while 'claim_rdev' is used for blkdev_put(). And this problem can be reporduced reliably by following:

New file: mdadm/tests/23rdev-lifetime

devname=${dev0##*/}
devt=`cat /sys/block/$devname/dev` pid="" runtime=2

clean_up_test() {
pill -9 $pid echo clear > /sys/block/md0/md/array_state }

trap 'clean_up_test' EXIT

add_by_sysfs() {
while true; do echo $devt > /sys/block/md0/md/new_dev done }

remove_by_sysfs(){
while true; do echo remove > /sys/block/md0/md/dev-${devname}/state
done }

echo md0 > /sys/module/md_mod/parameters/new_array || die "create md0 failed"

add_by_sysfs & pid="$pid $!"

remove_by_sysfs & pid="$pid $!"

sleep $runtime exit 0

Test cmd:

./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime

Test result:

------------[ cut here ]------------
WARNING: CPU: 0 PID: 960 at block/bdev.c:618 blkdev_put+0x27c/0x330 Modules linked in: multipath md_mod loop CPU: 0 PID: 960 Comm: test Not tainted 6.5.0-rc2-00121-g01e55c376936-dirty #50 RIP: 0010:blkdev_put+0x27c/0x330 Call Trace: <TASK> export_rdev.isra.23+0x50/0xa0 [md_mod]
mddev_unlock+0x19d/0x300 [md_mod]
rdev_attr_store+0xec/0x190 [md_mod]
sysfs_kf_write+0x52/0x70 kernfs_fop_write_iter+0x19a/0x2a0 vfs_write+0x3b5/0x770 ksys_write+0x74/0x150 __x64_sys_write+0x22/0x30 do_syscall_64+0x40/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Fix the problem by recording if 'rdev' is used as holder.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 03/29/2026

The vulnerability described in CVE-2023-53791 resides within the Linux kernel's md (multiple device) subsystem, specifically in the handling of device holders during the export_rdev() function. This issue represents a critical mismatch in how device references are managed when transitioning between internal and external holder states, creating potential for kernel warnings and system instability. The problem manifests when mddev->external changes from 0 to 1, causing inconsistent usage of device reference variables that leads to improper device release operations. The technical flaw stems from a discrepancy in the blkdev_get_by_dev() and blkdev_put() function calls where different device reference variables are used for acquisition and release operations, violating fundamental resource management principles. This mismatch creates a scenario where the kernel attempts to release a device reference that was not properly acquired using the same reference type, resulting in the warning message observed in the kernel logs.

The operational impact of this vulnerability extends beyond simple warning messages to potentially destabilize storage subsystems within Linux environments. The test case provided demonstrates a reliable reproduction method that creates a race condition through concurrent addition and removal operations on md devices, leveraging the sysfs interface to manipulate device states rapidly. This behavior can lead to kernel oops conditions, memory corruption, and in extreme cases, system crashes or data loss during storage operations. The vulnerability specifically affects systems running Linux kernels with mdadm support where software RAID arrays are actively managed, particularly in environments where dynamic device management occurs frequently. The issue is particularly concerning in production environments where storage reliability is paramount, as it can cause intermittent failures that are difficult to diagnose and may lead to data integrity concerns.

The mitigation strategy involves ensuring proper tracking of which device reference variable is used as a holder during the device management lifecycle. The fix implemented in commit a1d767191096 addresses this by recording whether 'rdev' is used as a holder, thereby maintaining consistency between acquisition and release operations. This approach aligns with CWE-691, which addresses insufficient control flow management in software systems, and follows ATT&CK technique T1484.001 for Privilege Escalation through kernel vulnerabilities. Organizations should ensure their systems are updated with the patched kernel version containing this fix, particularly those running storage-intensive workloads or systems that frequently manipulate md device arrays. The vulnerability also highlights the importance of proper resource management in kernel space, where the principle of least privilege and proper reference counting becomes critical for system stability. System administrators should monitor for kernel warnings related to block device management and ensure that all kernel updates are applied promptly to prevent exploitation of such low-level vulnerabilities that could potentially be leveraged for more sophisticated attacks against system integrity.

Responsible

Linux

Reservation

12/09/2025

Disclosure

12/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00162

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!