CVE-2023-53210

15.09.2025, 15:15

In the Linux kernel, the following vulnerability has been resolved:

md/raid5-cache: fix null-ptr-deref for r5l_flush_stripe_to_raid()

r5l_flush_stripe_to_raid() will check if the list 'flushing_ios' is
empty, and then submit 'flush_bio', however, r5l_log_flush_endio()
is clearing the list first and then clear the bio, which will cause
null-ptr-deref:

T1: submit flush io
raid5d
 handle_active_stripes
  r5l_flush_stripe_to_raid
   // list is empty
   // add 'io_end_ios' to the list
   bio_init
   submit_bio
   // io1

T2: io1 is done
r5l_log_flush_endio
 list_splice_tail_init
 // clear the list
			T3: submit new flush io
			...
			r5l_flush_stripe_to_raid
			 // list is empty
			 // add 'io_end_ios' to the list
			 bio_init
 bio_uninit
 // clear bio->bi_blkg
			 submit_bio
			 // null-ptr-deref

Fix this problem by clearing bio before clearing the list in
r5l_log_flush_endio().

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
Linux	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.237-1 fixed
bookworm	6.1.148-1 fixed
bookworm (security)	6.1.147-1 fixed
trixie	6.12.43-1 fixed
trixie (security)	6.12.41-1 fixed
forky	6.16.3-1 fixed
sid	6.16.7-1 fixed

References

https://git.kernel.org/stable/c/0d0bd28c500173bfca78aa840f8f36d261ef1765

https://git.kernel.org/stable/c/711fb92606208a8626b785da4f9f23d648a5b6c8

https://git.kernel.org/stable/c/7a8b6d93991bf4b72b3f959baea35397c6c8e521

https://git.kernel.org/stable/c/e46b2e7be8059d156af8c011dd8d665229b65886