CVE-2025-71225

Summary

In the Linux kernel, the following vulnerability has been resolved:

md: suspend array while updating raid_disks via sysfs

In raid1_reshape(), freeze_array() is called before modifying the r1bio memory pool (conf->r1bio_pool) and conf->raid_disks, and unfreeze_array() is called after the update is completed.

However, freeze_array() only waits until nr_sync_pending and (nr_pending - nr_queued) of all buckets reaches zero. When an I/O error occurs, nr_queued is increased and the corresponding r1bio is queued to either retry_list or bio_end_io_list. As a result, freeze_array() may unblock before these r1bios are released.

This can lead to a situation where conf->raid_disks and the mempool have already been updated while queued r1bios, allocated with the old raid_disks value, are later released. Consequently, free_r1bio() may access memory out of bounds in put_all_bios() and release r1bios of the wrong size to the new mempool, potentially causing issues with the mempool as well.

Since only normal I/O might increase nr_queued while an I/O error occurs, suspending the array avoids this issue.

Note: Updating raid_disks via ioctl SET_ARRAY_INFO already suspends the array. Therefore, we suspend the array when updating raid_disks via sysfs to avoid this issue too.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxe2d59925221cd562e07fee38ec8839f7209ae603 < 165d1359f945b72c5f90088f60d48ff46115269eaffected
LinuxLinuxe2d59925221cd562e07fee38ec8839f7209ae603 < 0107b18cd8ac17eb3e54786adc05a85cdbb6ef22affected
LinuxLinuxe2d59925221cd562e07fee38ec8839f7209ae603 < 2cc583653bbe050bacd1cadcc9776d39bf449740affected
LinuxLinux1b9203bb4c658c0242afa6fdb025c71d2fc3ad76affected
LinuxLinux8ccf6cfb157419847f3cb2bfdfbcdbd39860e8e9affected
LinuxLinux3.4.59 < 3.5affected
LinuxLinux3.9.7 < 3.10affected
LinuxLinux3.10affected
LinuxLinux0 < 3.10unaffected
LinuxLinux6.12.70 <= 6.12.*unaffected
LinuxLinux6.18.10 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References