CVE-2026-53125

In the Linux kernel, the following vulnerability has been resolved:

md: fix array state=clear sysfs deadlock

When "clear" is written to array state, md attr store() breaks sysfs active protection so the array can delete itself from its own sysfs store method.

However, md attr store() currently drops the mddev reference before calling sysfs unbreak active protection(). Once do md stop(..., 0) has made the mddev eligible for delayed deletion, the temporary kobject reference taken by sysfs break active protection() can become the last kobject reference protecting the md kobject.

That allows sysfs unbreak active protection() to drop the last kobject reference from the current sysfs writer context. kobject teardown then recurses into kernfs removal while the current sysfs node is still being unwound, and lockdep reports recursive locking on kn->active with kernfs drain() in the call chain.

Reproducer on an existing level:

The warning looks like:

WARNING: possible recursive locking detected bash/588 is trying to acquire lock: (kn->active#65) at kernfs remove+0x157/0x1d0 but task is already holding lock: (kn->active#65) at sysfs unbreak active protection+0x1f/0x40 ... Call Trace: kernfs drain kernfs remove kernfs remove by name ns sysfs remove group sysfs remove groups kobject del kobject put md attr store kernfs fop write iter vfs write ksys write

Restore active protection before mddev put() so the extra sysfs kobject reference is dropped while the mddev is still held alive. The actual md kobject deletion is then deferred until after the sysfs write path has fully returned.