CVE-2026-53125
Received Received - Intake
Kernel Deadlock in Linux md RAID Array

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: md: fix array_state=clear sysfs deadlock When "clear" is written to array_state, md_attr_store() breaks sysfs active protection so the array can delete itself from its own sysfs store method. However, md_attr_store() currently drops the mddev reference before calling sysfs_unbreak_active_protection(). Once do_md_stop(..., 0) has made the mddev eligible for delayed deletion, the temporary kobject reference taken by sysfs_break_active_protection() can become the last kobject reference protecting the md kobject. That allows sysfs_unbreak_active_protection() to drop the last kobject reference from the current sysfs writer context. kobject teardown then recurses into kernfs removal while the current sysfs node is still being unwound, and lockdep reports recursive locking on kn->active with kernfs_drain() in the call chain. Reproducer on an existing level: 1. Create an md0 linear array and activate it: mknod /dev/md0 b 9 0 echo none > /sys/block/md0/md/metadata_version echo linear > /sys/block/md0/md/level echo 1 > /sys/block/md0/md/raid_disks echo "$(cat /sys/class/block/sdb/dev)" > /sys/block/md0/md/new_dev echo "$(($(cat /sys/class/block/sdb/size) / 2))" > \ /sys/block/md0/md/dev-sdb/size echo 0 > /sys/block/md0/md/dev-sdb/slot echo active > /sys/block/md0/md/array_state 2. Wait briefly for the array to settle, then clear it: sleep 2 echo clear > /sys/block/md0/md/array_state The warning looks like: WARNING: possible recursive locking detected bash/588 is trying to acquire lock: (kn->active#65) at __kernfs_remove+0x157/0x1d0 but task is already holding lock: (kn->active#65) at sysfs_unbreak_active_protection+0x1f/0x40 ... Call Trace: kernfs_drain __kernfs_remove kernfs_remove_by_name_ns sysfs_remove_group sysfs_remove_groups __kobject_del kobject_put md_attr_store kernfs_fop_write_iter vfs_write ksys_write Restore active protection before mddev_put() so the extra sysfs kobject reference is dropped while the mddev is still held alive. The actual md kobject deletion is then deferred until after the sysfs write path has fully returned.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53125
EUVD
EUVD-2026-38993
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's md (multiple device) subsystem related to handling the array_state attribute in sysfs. When the string "clear" is written to array_state, the function md_attr_store() attempts to break sysfs active protection to allow the array to delete itself. However, md_attr_store() drops the mddev reference too early, before calling sysfs_unbreak_active_protection(). This can cause the last kobject reference protecting the md kobject to be dropped prematurely during the sysfs write operation, leading to recursive locking and potential deadlocks.

The issue manifests as a warning about possible recursive locking detected during the removal of the md array's sysfs entries, which can cause kernel lock dependency problems. The fix involves restoring active protection before releasing the mddev reference, ensuring the md kobject is not deleted until after the sysfs write operation completes.

Impact Analysis

This vulnerability can lead to kernel deadlocks or warnings about recursive locking when managing md arrays via sysfs. Such deadlocks can cause system instability or crashes, potentially impacting system availability and reliability.

If you use md arrays (software RAID) on Linux systems, this issue could disrupt normal operations when clearing or deleting arrays through sysfs, possibly requiring system reboots or manual intervention.

Detection Guidance

This vulnerability can be detected by reproducing the conditions that trigger the sysfs deadlock warning in the Linux kernel's md subsystem. Specifically, creating and activating an md0 linear array and then clearing its array_state triggers the issue.

  • Create an md0 linear array and activate it using the following commands:
  • mknod /dev/md0 b 9 0
  • echo none > /sys/block/md0/md/metadata_version
  • echo linear > /sys/block/md0/md/level
  • echo 1 > /sys/block/md0/md/raid_disks
  • echo "$(cat /sys/class/block/sdb/dev)" > /sys/block/md0/md/new_dev
  • echo "$(($(cat /sys/class/block/sdb/size) / 2))" > /sys/block/md0/md/dev-sdb/size
  • echo 0 > /sys/block/md0/md/dev-sdb/slot
  • echo active > /sys/block/md0/md/array_state

After waiting briefly for the array to settle (e.g., sleep 2), clear the array state with:

  • echo clear > /sys/block/md0/md/array_state

If the vulnerability is present, a warning about possible recursive locking will appear in the kernel logs, indicating the deadlock condition.

Mitigation Strategies

The vulnerability is resolved by restoring active protection before releasing the mddev reference, ensuring that the sysfs kobject reference is dropped while the mddev is still held alive. This defers the actual md kobject deletion until after the sysfs write path has fully returned.

Immediate mitigation steps include updating the Linux kernel to a version that contains this fix, as the issue is related to kernel internals and cannot be mitigated by configuration changes alone.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53125. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart