CVE-2023-53848

Vulnerability

Description

In the Linux kernel, a deadlock vulnerability was introduced in the raid5-cache module by commit b13015af94cf ("md/raid5-cache: Clear conf->log after finishing work"). The issue occurs in the r5l_exit_log() function [1][2]. The root cause is that the function sets conf->log to NULL after flushing the workqueue, but the workqueue handler r5c_disable_writeback_async waits for a condition that never becomes true because conf->log is still non-NULL at that point [1][2].

Exploitation

Conditions

An attacker cannot directly trigger this deadlock; it requires a kernel rebuild or a specific sequence of operations on a system using the MD RAID5 or RAID6 with a write-back cache. The deadlock occurs when the kernel tries to exit the raid5-cache log while the reconfig_mutex is held, and the disable_writeback_work is still executing [1]. The wait_event in r5c_disable_writeback_async cannot proceed because conf->log is not yet NULL [1].

Impact

If the deadlock occurs, it causes a kernel hang (system freeze) because the mutex is never released. This results in a denial of service (DoS) for any processes waiting on the reconfig_mutex, effectively crashing the system or making it unresponsive [1].

Mitigation

State

The Linux kernel stable tree has released patches that fix the deadlock by reordering the operations: setting conf->log to NULL before calling wake_up() (so the wait condition is met), and moving md_unregister_thread() earlier to prevent a null-pointer dereference [1][2]. The fix commits are available as part of the stable kernel updates [1][2]. Users should apply the latest stable kernel updates to resolve this vulnerability.