Fixed
Created: Dec 10, 2025
Updated: Dec 11, 2025
Resolved Date: Dec 10, 2025
Found In Version: 10.22.33.1
Fix Version: 10.22.33.9
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]md/raid10: fix null-ptr-deref in raid10_sync_request[EOL][EOL]init_resync() inits mempool and sets conf->have_replacemnt at the beginning[EOL]of sync, close_sync() frees the mempool when sync is completed.[EOL][EOL]After [1] recovery might be skipped and init_resync() is called but[EOL]close_sync() is not. null-ptr-deref occurs with r10bio->dev[i].repl_bio.[EOL][EOL]The following is one way to reproduce the issue.[EOL][EOL] 1) create a array, wait for resync to complete, mddev->recovery_cp is set[EOL] to MaxSector.[EOL] 2) recovery is woken and it is skipped. conf->have_replacement is set to[EOL] 0 in init_resync(). close_sync() not called.[EOL] 3) some io errors and rdev A is set to WantReplacement.[EOL] 4) a new device is added and set to A's replacement.[EOL] 5) recovery is woken, A have replacement, but conf->have_replacemnt is[EOL] 0. r10bio->dev[i].repl_bio will not be alloced and null-ptr-deref[EOL] occurs.[EOL][EOL]Fix it by not calling init_resync() if recovery skipped.[EOL][EOL][1] commit 7e83ccbecd60 ("md/raid10: Allow skipping recovery when clean arrays are assembled")
