Home

Description

In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic. Example access path: raid1_reshape() { // newpool is on the stack mempool_t newpool, oldpool; // initialize newpool.wait.head to stack address mempool_init(&newpool, ...); conf->r1bio_pool = newpool; } raid1_read_request() or raid1_write_request() { alloc_r1bio() { mempool_alloc() { // if pool->alloc fails remove_element() { --pool->curr_nr; } } } } mempool_free() { if (pool->curr_nr < pool->min_nr) { // pool->wait.head is a stack address // wake_up() will try to access this invalid address // which leads to a kernel panic return; wake_up(&pool->wait); } } Fix: reinit conf->r1bio_pool.wait after assigning newpool.

PUBLISHED Reserved 2025-04-16 | Published 2025-07-25 | Updated 2025-11-03 | Assigner Linux

Product status

Default status
unaffected

afeee514ce7f4cab605beedd03be71ebaf0c5fc8 (git) before d8a6853d00fbaa810765c8ed2f452a5832273968
affected

afeee514ce7f4cab605beedd03be71ebaf0c5fc8 (git) before 12b00ec99624f8da8c325f2dd6e807df26df0025
affected

afeee514ce7f4cab605beedd03be71ebaf0c5fc8 (git) before 48da050b4f54ed639b66278d0ae6f4107b2c4e2d
affected

afeee514ce7f4cab605beedd03be71ebaf0c5fc8 (git) before 5f35e48b76655e45522df338876dfef88dafcc71
affected

afeee514ce7f4cab605beedd03be71ebaf0c5fc8 (git) before df5894014a92ff0196dbc212a7764e97366fd2b7
affected

afeee514ce7f4cab605beedd03be71ebaf0c5fc8 (git) before 776e6186dc9ecbdb8a1b706e989166c8a99bbf64
affected

afeee514ce7f4cab605beedd03be71ebaf0c5fc8 (git) before 61fd5e93006cf82ec8ee5c115ab5cf4bbd104bdb
affected

afeee514ce7f4cab605beedd03be71ebaf0c5fc8 (git) before d67ed2ccd2d1dcfda9292c0ea8697a9d0f2f0d98
affected

Default status
affected

4.18
affected

Any version before 4.18
unaffected

5.4.296 (semver)
unaffected

5.10.240 (semver)
unaffected

5.15.189 (semver)
unaffected

6.1.146 (semver)
unaffected

6.6.99 (semver)
unaffected

6.12.39 (semver)
unaffected

6.15.7 (semver)
unaffected

6.16 (original_commit_for_fix)
unaffected

References

lists.debian.org/debian-lts-announce/2025/10/msg00008.html

lists.debian.org/debian-lts-announce/2025/10/msg00007.html

git.kernel.org/...c/d8a6853d00fbaa810765c8ed2f452a5832273968

git.kernel.org/...c/12b00ec99624f8da8c325f2dd6e807df26df0025

git.kernel.org/...c/48da050b4f54ed639b66278d0ae6f4107b2c4e2d

git.kernel.org/...c/5f35e48b76655e45522df338876dfef88dafcc71

git.kernel.org/...c/df5894014a92ff0196dbc212a7764e97366fd2b7

git.kernel.org/...c/776e6186dc9ecbdb8a1b706e989166c8a99bbf64

git.kernel.org/...c/61fd5e93006cf82ec8ee5c115ab5cf4bbd104bdb

git.kernel.org/...c/d67ed2ccd2d1dcfda9292c0ea8697a9d0f2f0d98

cve.org (CVE-2025-38445)

nvd.nist.gov (CVE-2025-38445)

Download JSON