VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 8, 2025· Updated Apr 15, 2026

CVE-2023-53765

CVE-2023-53765

Description

In the Linux kernel, the following vulnerability has been resolved:

dm cache: free background tracker's queued work in btracker_destroy

Otherwise the kernel can BUG with:

[ 2245.426978] ============================================================================= [ 2245.435155] BUG bt_work (Tainted: G B W ): Objects remaining in bt_work on __kmem_cache_shutdown() [ 2245.445233] ----------------------------------------------------------------------------- [ 2245.445233] [ 2245.454879] Slab 0x00000000b0ce2b30 objects=64 used=2 fp=0x000000000a3c6a4e flags=0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff) [ 2245.467300] CPU: 7 PID: 10805 Comm: lvm Kdump: loaded Tainted: G B W 6.0.0-rc2 #19 [ 2245.476078] Hardware name: Dell Inc. PowerEdge R7525/0590KW, BIOS 2.5.6 10/06/2021 [ 2245.483646] Call Trace: [ 2245.486100] [ 2245.488206] dump_stack_lvl+0x34/0x48 [ 2245.491878] slab_err+0x95/0xcd [ 2245.495028] __kmem_cache_shutdown.cold+0x31/0x136 [ 2245.499821] kmem_cache_destroy+0x49/0x130 [ 2245.503928] btracker_destroy+0x12/0x20 [dm_cache] [ 2245.508728] smq_destroy+0x15/0x60 [dm_cache_smq] [ 2245.513435] dm_cache_policy_destroy+0x12/0x20 [dm_cache] [ 2245.518834] destroy+0xc0/0x110 [dm_cache] [ 2245.522933] dm_table_destroy+0x5c/0x120 [dm_mod] [ 2245.527649] __dm_destroy+0x10e/0x1c0 [dm_mod] [ 2245.532102] dev_remove+0x117/0x190 [dm_mod] [ 2245.536384] ctl_ioctl+0x1a2/0x290 [dm_mod] [ 2245.540579] dm_ctl_ioctl+0xa/0x20 [dm_mod] [ 2245.544773] __x64_sys_ioctl+0x8a/0xc0 [ 2245.548524] do_syscall_64+0x5c/0x90 [ 2245.552104] ? syscall_exit_to_user_mode+0x12/0x30 [ 2245.556897] ? do_syscall_64+0x69/0x90 [ 2245.560648] ? do_syscall_64+0x69/0x90 [ 2245.564394] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 2245.569447] RIP: 0033:0x7fe52583ec6b ... [ 2245.646771] ------------[ cut here ]------------ [ 2245.651395] kmem_cache_destroy bt_work: Slab cache still has objects when called from btracker_destroy+0x12/0x20 [dm_cache] [ 2245.651408] WARNING: CPU: 7 PID: 10805 at mm/slab_common.c:478 kmem_cache_destroy+0x128/0x130

Found using: lvm2-testsuite --only "cache-single-split.sh"

Ben bisected and found that commit 0495e337b703 ("mm/slab_common: Deleting kobject in kmem_cache_destroy() without holding slab_mutex/cpu_hotplug_lock") first exposed dm-cache's incomplete cleanup of its background tracker work objects.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The dm cache background tracker in the Linux kernel does not free queued work objects on destroy, causing a slab-use-after-free BUG.

Root

Cause

The Linux kernel's device-mapper cache target, specifically the background tracker (btracker_destroy), fails to free queued work items (bt_work objects) when the policy is destroyed. This leaves objects allocated from the bt_work slab cache, which triggers a kernel BUG ("Objects remaining in bt_work on __kmem_cache_shutdown()") when the slab cache is later destroyed.

Exploitation

An attacker with sufficient privileges (root or capable of triggering device-mapper cache device removal) can trigger the vulnerability by removing a cache device. The btracker_destroy function is called during cache policy destruction, which occurs as part of the device teardown. The attack surface is limited to local users who can manipulate device-mapper targets.

Impact

The BUG message indicates a kernel state that can lead to memory corruption or denial of service. Under normal operation, this is a panic-on-bug scenario, resulting in a system crash (denial of service). It could potentially be leveraged for privilege escalation if the leftover objects contain sensitive data or function pointers, though the provided description only confirms the BUG and crash.

Mitigation

The fix, committed in the Linux kernel stable tree [1], adds a call to free_work for each queued work item in btracker_destroy, ensuring the slab cache is empty before destruction. Users should apply kernel updates containing commit 95ab80a8a0fe (or equivalent) to prevent this issue.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

3
673a3af21d5e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
ed56ad5cacb7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
95ab80a8a0fe
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.