Linux Kernel NULL Pointer Dereference Vulnerability in MD Cluster Management

A NULL pointer dereference vulnerability has been identified in the Linux kernel's MD cluster management. The issue arises in the 'process_metadata_update()' function, which improperly dereferences the 'thread' pointer without adequate validation. This flaw can lead to a kernel panic under specific conditions. During the startup sequence of an MD array, a race condition can occur where a 'METADATA_UPDATED' message is received from a remote node before the main MD thread is initialized. As a result, the 'process_metadata_update()' function is called with a NULL thread pointer, causing a system crash.

Impact

Exploitation of this vulnerability leads to a kernel panic, causing a denial of service by crashing the system.

Reproduction

The vulnerability can be reproduced by initiating an MD array and triggering the 'bitmap_load()' function, which calls 'md_cluster_ops->join()'. This process starts the 'cluster_recv' thread, which can begin processing messages. However, the main MD thread is not ready yet. If a 'METADATA_UPDATED' message is received from a remote node during this window, the 'process_metadata_update()' function will be called with a NULL thread pointer, resulting in a kernel panic.

Remediation

The vulnerability has been addressed in the official Linux Git repository. Users can upgrade to the latest version to apply the fix.