Linux Kernel RAID10 Recovery Process Remaining Count Leak Vulnerability

A vulnerability exists in the Linux kernel's RAID10 implementation, where the recovery process can improperly manage the 'r10bio->remaining' count. This issue arises when a read operation fails, causing the recovery function to skip the corresponding write operation. As a result, the 'remaining' count is not decremented as it should be, leading to an I/O hang. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can cause an I/O hang, disrupting normal data processing and potentially leading to degraded system performance or availability.

Reproduction

The vulnerability can be reproduced by configuring a RAID10 array in the Linux kernel and simulating a read I/O failure during the recovery process. This can be done by introducing an error that prevents the read operation from completing successfully. When the recovery function attempts to write data to compensate for the failed read, it will skip the write operation due to the error, causing the 'r10bio->remaining' count to leak. This leaked count will not be properly accounted for, leading to an I/O hang as the system waits for a completion that never arrives.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been addressed. The specific commit containing the fix is available in the Linux kernel stable tree.