Description
In the Linux kernel, the following vulnerability has been resolved: md/raid1: stop mdx_raid1 thread when raid1 array run failed fail run raid1 array when we assemble array with the inactive disk only, but the mdx_raid1 thread were not stop, Even if the associated resources have been released. it will caused a NULL dereference when we do poweroff. This causes the following Oops: [ 287.587787] BUG: kernel NULL pointer dereference, address: 0000000000000070 [ 287.594762] #PF: supervisor read access in kernel mode [ 287.599912] #PF: error_code(0x0000) - not-present page [ 287.605061] PGD 0 P4D 0 [ 287.607612] Oops: 0000 [#1] SMP NOPTI [ 287.611287] CPU: 3 PID: 5265 Comm: md0_raid1 Tainted: G U 5.10.146 #0 [ 287.619029] Hardware name: xxxxxxx/To be filled by O.E.M, BIOS 5.19 06/16/2022 [ 287.626775] RIP: 0010:md_check_recovery+0x57/0x500 [md_mod] [ 287.632357] Code: fe 01 00 00 48 83 bb 10 03 00 00 00 74 08 48 89 ...... [ 287.651118] RSP: 0018:ffffc90000433d78 EFLAGS: 00010202 [ 287.656347] RAX: 0000000000000000 RBX: ffff888105986800 RCX: 0000000000000000 [ 287.663491] RDX: ffffc90000433bb0 RSI: 00000000ffffefff RDI: ffff888105986800 [ 287.670634] RBP: ffffc90000433da0 R08: 0000000000000000 R09: c0000000ffffefff [ 287.677771] R10: 0000000000000001 R11: ffffc90000433ba8 R12: ffff888105986800 [ 287.684907] R13: 0000000000000000 R14: fffffffffffffe00 R15: ffff888100b6b500 [ 287.692052] FS: 0000000000000000(0000) GS:ffff888277f80000(0000) knlGS:0000000000000000 [ 287.700149] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 287.705897] CR2: 0000000000000070 CR3: 000000000320a000 CR4: 0000000000350ee0 [ 287.713033] Call Trace: [ 287.715498] raid1d+0x6c/0xbbb [raid1] [ 287.719256] ? __schedule+0x1ff/0x760 [ 287.722930] ? schedule+0x3b/0xb0 [ 287.726260] ? schedule_timeout+0x1ed/0x290 [ 287.730456] ? __switch_to+0x11f/0x400 [ 287.734219] md_thread+0xe9/0x140 [md_mod] [ 287.738328] ? md_thread+0xe9/0x140 [md_mod] [ 287.742601] ? wait_woken+0x80/0x80 [ 287.746097] ? md_register_thread+0xe0/0xe0 [md_mod] [ 287.751064] kthread+0x11a/0x140 [ 287.754300] ? kthread_park+0x90/0x90 [ 287.757974] ret_from_fork+0x1f/0x30 In fact, when raid1 array run fail, we need to do md_unregister_thread() before raid1_free().
Product status
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before d684ceb77311410aeaf5189d321f9f564838c49a
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 110f14a7b2eb5b8aa9df5af2d629524f2a07d543
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 0c7c7468c3ae222e297b7dc74d6ccb69c4d0183c
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 19d5a0e17aba92b10d895e40ec782768cf00da23
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 10d713532ffc67b13df61ed9c138a8ce0a186236
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before a3cc41e05e8af340a2a759b168c29fffdb9194eb
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 22be44212cad8be96860346882d8e694b0b437b6
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before d26364596db8f8b55277b2afb3952e05a4057a21
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before b611ad14006e5be2170d9e8e611bf49dff288911
4.9.337 (semver)
4.14.303 (semver)
4.19.270 (semver)
5.4.229 (semver)
5.10.163 (semver)
5.15.86 (semver)
6.0.16 (semver)
6.1.2 (semver)
6.2 (original_commit_for_fix)
References
git.kernel.org/...c/d684ceb77311410aeaf5189d321f9f564838c49a
git.kernel.org/...c/110f14a7b2eb5b8aa9df5af2d629524f2a07d543
git.kernel.org/...c/0c7c7468c3ae222e297b7dc74d6ccb69c4d0183c
git.kernel.org/...c/19d5a0e17aba92b10d895e40ec782768cf00da23
git.kernel.org/...c/10d713532ffc67b13df61ed9c138a8ce0a186236
git.kernel.org/...c/a3cc41e05e8af340a2a759b168c29fffdb9194eb
git.kernel.org/...c/22be44212cad8be96860346882d8e694b0b437b6
git.kernel.org/...c/d26364596db8f8b55277b2afb3952e05a4057a21
git.kernel.org/...c/b611ad14006e5be2170d9e8e611bf49dff288911
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
