Linux Kernel RCU Mode NULL Pointer Dereference Vulnerability in RAID Management

A vulnerability in the Linux kernel's RAID management component has been fixed. The issue was a NULL pointer dereference in the 'rdev_addable' function, which is part of the MD (multiple device) subsystem. This vulnerability could lead to a kernel panic. The problem arose because the 'rdev->mddev' pointer could be set to NULL before the 'synchronize_rcu' call in 'md_kick_rdev_from_array', causing a NULL pointer dereference when 'rdev_addable' was called during RAID synchronization. The vulnerability affected Linux kernel versions through 6.16.0.

Impact

Exploitation of this vulnerability caused a kernel panic due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by triggering the 'md_start_sync' function in the RAID management subsystem. This can be done by initiating a RAID synchronization process that requires reconfiguration, which will cause the 'rdev_addable' function to be called. The 'rdev_addable' function, not properly handling the RCU (Read-Copy-Update) context, will dereference a NULL pointer, leading to a kernel panic.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the Linux kernel can be found in the official Linux documentation.