Bug 2395424 (CVE-2023-53210) - CVE-2023-53210 kernel: md/raid5-cache: fix null-ptr-deref for r5l_flush_stripe_to_raid()
Summary: CVE-2023-53210 kernel: md/raid5-cache: fix null-ptr-deref for r5l_flush_strip...
Keywords:
Status: NEW
Alias: CVE-2023-53210
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-15 15:13 UTC by OSIDB Bzimport
Modified: 2025-09-18 15:53 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-15 15:13:07 UTC 
In the Linux kernel, the following vulnerability has been resolved:

md/raid5-cache: fix null-ptr-deref for r5l_flush_stripe_to_raid()

r5l_flush_stripe_to_raid() will check if the list 'flushing_ios' is
empty, and then submit 'flush_bio', however, r5l_log_flush_endio()
is clearing the list first and then clear the bio, which will cause
null-ptr-deref:

T1: submit flush io
raid5d
 handle_active_stripes
  r5l_flush_stripe_to_raid
   // list is empty
   // add 'io_end_ios' to the list
   bio_init
   submit_bio
   // io1

T2: io1 is done
r5l_log_flush_endio
 list_splice_tail_init
 // clear the list
			T3: submit new flush io
			...
			r5l_flush_stripe_to_raid
			 // list is empty
			 // add 'io_end_ios' to the list
			 bio_init
 bio_uninit
 // clear bio->bi_blkg
			 submit_bio
			 // null-ptr-deref

Fix this problem by clearing bio before clearing the list in
r5l_log_flush_endio().
Comment 1 Jon Moroney 2025-09-15 16:46:25 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091511-CVE-2023-53210-0e06@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.