Description
In the Linux kernel, the following vulnerability has been resolved: md/raid1: stop mdx_raid1 thread when raid1 array run failed fail run raid1 array when we assemble array with the inactive disk only, but the mdx_raid1 thread were not stop, Even if the associated resources have been released. it will caused a NULL dereference when we do poweroff. This causes the following Oops: [ 287.587787] BUG: kernel NULL pointer dereference, address: 0000000000000070 [ 287.594762] #PF: supervisor read access in kernel mode [ 287.599912] #PF: error_code(0x0000) - not-present page [ 287.605061] PGD 0 P4D 0 [ 287.607612] Oops: 0000 [#1] SMP NOPTI [ 287.611287] CPU: 3 PID: 5265 Comm: md0_raid1 Tainted: G U 5.10.146 #0 [ 287.619029] Hardware name: xxxxxxx/To be filled by O.E.M, BIOS 5.19 06/16/2022 [ 287.626775] RIP: 0010:md_check_recovery+0x57/0x500 [md_mod] [ 287.632357] Code: fe 01 00 00 48 83 bb 10 03 00 00 00 74 08 48 89 ...... [ 287.651118] RSP: 0018:ffffc90000433d78 EFLAGS: 00010202 [ 287.656347] RAX: 0000000000000000 RBX: ffff888105986800 RCX: 0000000000000000 [ 287.663491] RDX: ffffc90000433bb0 RSI: 00000000ffffefff RDI: ffff888105986800 [ 287.670634] RBP: ffffc90000433da0 R08: 0000000000000000 R09: c0000000ffffefff [ 287.677771] R10: 0000000000000001 R11: ffffc90000433ba8 R12: ffff888105986800 [ 287.684907] R13: 0000000000000000 R14: fffffffffffffe00 R15: ffff888100b6b500 [ 287.692052] FS: 0000000000000000(0000) GS:ffff888277f80000(0000) knlGS:0000000000000000 [ 287.700149] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 287.705897] CR2: 0000000000000070 CR3: 000000000320a000 CR4: 0000000000350ee0 [ 287.713033] Call Trace: [ 287.715498] raid1d+0x6c/0xbbb [raid1] [ 287.719256] ? __schedule+0x1ff/0x760 [ 287.722930] ? schedule+0x3b/0xb0 [ 287.726260] ? schedule_timeout+0x1ed/0x290 [ 287.730456] ? __switch_to+0x11f/0x400 [ 287.734219] md_thread+0xe9/0x140 [md_mod] [ 287.738328] ? md_thread+0xe9/0x140 [md_mod] [ 287.742601] ? wait_woken+0x80/0x80 [ 287.746097] ? md_register_thread+0xe0/0xe0 [md_mod] [ 287.751064] kthread+0x11a/0x140 [ 287.754300] ? kthread_park+0x90/0x90 [ 287.757974] ret_from_fork+0x1f/0x30 In fact, when raid1 array run fail, we need to do md_unregister_thread() before raid1_free().
Product status
5bad5054ecd83c866502f0370edfc9aa55dc9aa7 (git) before d684ceb77311410aeaf5189d321f9f564838c49a
440c3706f1d1835d24ba5b4bbe6515e0a97e886c (git) before 110f14a7b2eb5b8aa9df5af2d629524f2a07d543
f1db75622996af402deea9c018deb8e869ce7548 (git) before 0c7c7468c3ae222e297b7dc74d6ccb69c4d0183c
07f1a6850c5d5a65c917c3165692b5179ac4cb6b (git) before 19d5a0e17aba92b10d895e40ec782768cf00da23
07f1a6850c5d5a65c917c3165692b5179ac4cb6b (git) before 10d713532ffc67b13df61ed9c138a8ce0a186236
07f1a6850c5d5a65c917c3165692b5179ac4cb6b (git) before a3cc41e05e8af340a2a759b168c29fffdb9194eb
07f1a6850c5d5a65c917c3165692b5179ac4cb6b (git) before 22be44212cad8be96860346882d8e694b0b437b6
07f1a6850c5d5a65c917c3165692b5179ac4cb6b (git) before d26364596db8f8b55277b2afb3952e05a4057a21
07f1a6850c5d5a65c917c3165692b5179ac4cb6b (git) before b611ad14006e5be2170d9e8e611bf49dff288911
b8c11e01be7f7fcbda697e8cf9aa1f4ec65816f6 (git)
18a00f37f418838fbe2036f425a1ea04f93c473c (git)
d6092a9624ce32491e298f6b248b6ab31b2bbc5a (git)
5.4
Any version before 5.4
4.9.337 (semver)
4.14.303 (semver)
4.19.270 (semver)
5.4.229 (semver)
5.10.163 (semver)
5.15.86 (semver)
6.0.16 (semver)
6.1.2 (semver)
6.2 (original_commit_for_fix)
References
git.kernel.org/...c/d684ceb77311410aeaf5189d321f9f564838c49a
git.kernel.org/...c/110f14a7b2eb5b8aa9df5af2d629524f2a07d543
git.kernel.org/...c/0c7c7468c3ae222e297b7dc74d6ccb69c4d0183c
git.kernel.org/...c/19d5a0e17aba92b10d895e40ec782768cf00da23
git.kernel.org/...c/10d713532ffc67b13df61ed9c138a8ce0a186236
git.kernel.org/...c/a3cc41e05e8af340a2a759b168c29fffdb9194eb
git.kernel.org/...c/22be44212cad8be96860346882d8e694b0b437b6
git.kernel.org/...c/d26364596db8f8b55277b2afb3952e05a4057a21
git.kernel.org/...c/b611ad14006e5be2170d9e8e611bf49dff288911