CVE-2025-71225
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: suspend array while updating raid_disks via sysfs
In raid1_reshape(), freeze_array() is called before modifying the r1bio memory pool (conf->r1bio_pool) and conf->raid_disks, and unfreeze_array() is called after the update is completed.
However, freeze_array() only waits until nr_sync_pending and (nr_pending - nr_queued) of all buckets reaches zero. When an I/O error occurs, nr_queued is increased and the corresponding r1bio is queued to either retry_list or bio_end_io_list. As a result, freeze_array() may unblock before these r1bios are released.
This can lead to a situation where conf->raid_disks and the mempool have already been updated while queued r1bios, allocated with the old raid_disks value, are later released. Consequently, free_r1bio() may access memory out of bounds in put_all_bios() and release r1bios of the wrong size to the new mempool, potentially causing issues with the mempool as well.
Since only normal I/O might increase nr_queued while an I/O error occurs, suspending the array avoids this issue.
Note: Updating raid_disks via ioctl SET_ARRAY_INFO already suspends the array. Therefore, we suspend the array when updating raid_disks via sysfs to avoid this issue too.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | e2d59925221cd562e07fee38ec8839f7209ae603 < 165d1359f945b72c5f90088f60d48ff46115269e | affected |
| Linux | Linux | e2d59925221cd562e07fee38ec8839f7209ae603 < 0107b18cd8ac17eb3e54786adc05a85cdbb6ef22 | affected |
| Linux | Linux | e2d59925221cd562e07fee38ec8839f7209ae603 < 2cc583653bbe050bacd1cadcc9776d39bf449740 | affected |
| Linux | Linux | 1b9203bb4c658c0242afa6fdb025c71d2fc3ad76 | affected |
| Linux | Linux | 8ccf6cfb157419847f3cb2bfdfbcdbd39860e8e9 | affected |
| Linux | Linux | 3.4.59 < 3.5 | affected |
| Linux | Linux | 3.9.7 < 3.10 | affected |
| Linux | Linux | 3.10 | affected |
| Linux | Linux | 0 < 3.10 | unaffected |
| Linux | Linux | 6.12.70 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.10 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/165d1359f945b72c5f90088f60d48ff46115269e
- https://git.kernel.org/stable/c/0107b18cd8ac17eb3e54786adc05a85cdbb6ef22
- https://git.kernel.org/stable/c/2cc583653bbe050bacd1cadcc9776d39bf449740
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.