Linux Kernel RAID10 Null Pointer Dereference Vulnerability in Synchronization Request

A null pointer dereference vulnerability has been identified in the Linux kernel's RAID10 module, specifically within the `raid10_sync_request` function. This issue arises from improper handling of the `mreplace` variable, which is used to manage disk replacements in the RAID10 array. The vulnerability occurs when `mreplace` is set to NULL for a faulty disk, but the corresponding `need_replace` flag is not updated. If a disk is marked faulty between two checks, it can lead to a null pointer dereference when the synchronization request is processed. This vulnerability affects the Linux kernel's stable releases.

Impact

Exploitation of this vulnerability leads to a null pointer dereference, causing a crash or undefined behavior in the system.

Reproduction

The vulnerability can be reproduced by creating a RAID10 array and introducing a fault in one of the disks. During the synchronization process, the `mreplace` variable will be incorrectly handled, leading to a null pointer dereference.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed.