CVE-2023-53791

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md: fix warning for holder mismatch from export_rdev()<br /> <br /> Commit a1d767191096 ("md: use mddev-&gt;external to select holder in<br /> export_rdev()") fix the problem that &amp;#39;claim_rdev&amp;#39; is used for<br /> blkdev_get_by_dev() while &amp;#39;rdev&amp;#39; is used for blkdev_put().<br /> <br /> However, if mddev-&gt;external is changed from 0 to 1, then &amp;#39;rdev&amp;#39; is used<br /> for blkdev_get_by_dev() while &amp;#39;claim_rdev&amp;#39; is used for blkdev_put(). And<br /> this problem can be reporduced reliably by following:<br /> <br /> New file: mdadm/tests/23rdev-lifetime<br /> <br /> devname=${dev0##*/}<br /> devt=`cat /sys/block/$devname/dev`<br /> pid=""<br /> runtime=2<br /> <br /> clean_up_test() {<br /> pill -9 $pid<br /> echo clear &gt; /sys/block/md0/md/array_state<br /> }<br /> <br /> trap &amp;#39;clean_up_test&amp;#39; EXIT<br /> <br /> add_by_sysfs() {<br /> while true; do<br /> echo $devt &gt; /sys/block/md0/md/new_dev<br /> done<br /> }<br /> <br /> remove_by_sysfs(){<br /> while true; do<br /> echo remove &gt; /sys/block/md0/md/dev-${devname}/state<br /> done<br /> }<br /> <br /> echo md0 &gt; /sys/module/md_mod/parameters/new_array || die "create md0 failed"<br /> <br /> add_by_sysfs &amp;<br /> pid="$pid $!"<br /> <br /> remove_by_sysfs &amp;<br /> pid="$pid $!"<br /> <br /> sleep $runtime<br /> exit 0<br /> <br /> Test cmd:<br /> <br /> ./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime<br /> <br /> Test result:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 0 PID: 960 at block/bdev.c:618 blkdev_put+0x27c/0x330<br /> Modules linked in: multipath md_mod loop<br /> CPU: 0 PID: 960 Comm: test Not tainted 6.5.0-rc2-00121-g01e55c376936-dirty #50<br /> RIP: 0010:blkdev_put+0x27c/0x330<br /> Call Trace:<br /> <br /> export_rdev.isra.23+0x50/0xa0 [md_mod]<br /> mddev_unlock+0x19d/0x300 [md_mod]<br /> rdev_attr_store+0xec/0x190 [md_mod]<br /> sysfs_kf_write+0x52/0x70<br /> kernfs_fop_write_iter+0x19a/0x2a0<br /> vfs_write+0x3b5/0x770<br /> ksys_write+0x74/0x150<br /> __x64_sys_write+0x22/0x30<br /> do_syscall_64+0x40/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Fix the problem by recording if &amp;#39;rdev&amp;#39; is used as holder.