GHSA-RRPF-VHV2-QW86

Vulnerability from github – Published: 2025-12-24 15:30 – Updated: 2025-12-24 15:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

md/raid1: stop mdx_raid1 thread when raid1 array run failed

fail run raid1 array when we assemble array with the inactive disk only, but the mdx_raid1 thread were not stop, Even if the associated resources have been released. it will caused a NULL dereference when we do poweroff.

This causes the following Oops: [ 287.587787] BUG: kernel NULL pointer dereference, address: 0000000000000070 [ 287.594762] #PF: supervisor read access in kernel mode [ 287.599912] #PF: error_code(0x0000) - not-present page [ 287.605061] PGD 0 P4D 0 [ 287.607612] Oops: 0000 [#1] SMP NOPTI [ 287.611287] CPU: 3 PID: 5265 Comm: md0_raid1 Tainted: G U 5.10.146 #0 [ 287.619029] Hardware name: xxxxxxx/To be filled by O.E.M, BIOS 5.19 06/16/2022 [ 287.626775] RIP: 0010:md_check_recovery+0x57/0x500 [md_mod] [ 287.632357] Code: fe 01 00 00 48 83 bb 10 03 00 00 00 74 08 48 89 ...... [ 287.651118] RSP: 0018:ffffc90000433d78 EFLAGS: 00010202 [ 287.656347] RAX: 0000000000000000 RBX: ffff888105986800 RCX: 0000000000000000 [ 287.663491] RDX: ffffc90000433bb0 RSI: 00000000ffffefff RDI: ffff888105986800 [ 287.670634] RBP: ffffc90000433da0 R08: 0000000000000000 R09: c0000000ffffefff [ 287.677771] R10: 0000000000000001 R11: ffffc90000433ba8 R12: ffff888105986800 [ 287.684907] R13: 0000000000000000 R14: fffffffffffffe00 R15: ffff888100b6b500 [ 287.692052] FS: 0000000000000000(0000) GS:ffff888277f80000(0000) knlGS:0000000000000000 [ 287.700149] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 287.705897] CR2: 0000000000000070 CR3: 000000000320a000 CR4: 0000000000350ee0 [ 287.713033] Call Trace: [ 287.715498] raid1d+0x6c/0xbbb [raid1] [ 287.719256] ? __schedule+0x1ff/0x760 [ 287.722930] ? schedule+0x3b/0xb0 [ 287.726260] ? schedule_timeout+0x1ed/0x290 [ 287.730456] ? __switch_to+0x11f/0x400 [ 287.734219] md_thread+0xe9/0x140 [md_mod] [ 287.738328] ? md_thread+0xe9/0x140 [md_mod] [ 287.742601] ? wait_woken+0x80/0x80 [ 287.746097] ? md_register_thread+0xe0/0xe0 [md_mod] [ 287.751064] kthread+0x11a/0x140 [ 287.754300] ? kthread_park+0x90/0x90 [ 287.757974] ret_from_fork+0x1f/0x30

In fact, when raid1 array run fail, we need to do md_unregister_thread() before raid1_free().

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50715"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-24T13:15:58Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid1: stop mdx_raid1 thread when raid1 array run failed\n\nfail run raid1 array when we assemble array with the inactive disk only,\nbut the mdx_raid1 thread were not stop, Even if the associated resources\nhave been released. it will caused a NULL dereference when we do poweroff.\n\nThis causes the following Oops:\n    [  287.587787] BUG: kernel NULL pointer dereference, address: 0000000000000070\n    [  287.594762] #PF: supervisor read access in kernel mode\n    [  287.599912] #PF: error_code(0x0000) - not-present page\n    [  287.605061] PGD 0 P4D 0\n    [  287.607612] Oops: 0000 [#1] SMP NOPTI\n    [  287.611287] CPU: 3 PID: 5265 Comm: md0_raid1 Tainted: G     U            5.10.146 #0\n    [  287.619029] Hardware name: xxxxxxx/To be filled by O.E.M, BIOS 5.19 06/16/2022\n    [  287.626775] RIP: 0010:md_check_recovery+0x57/0x500 [md_mod]\n    [  287.632357] Code: fe 01 00 00 48 83 bb 10 03 00 00 00 74 08 48 89 ......\n    [  287.651118] RSP: 0018:ffffc90000433d78 EFLAGS: 00010202\n    [  287.656347] RAX: 0000000000000000 RBX: ffff888105986800 RCX: 0000000000000000\n    [  287.663491] RDX: ffffc90000433bb0 RSI: 00000000ffffefff RDI: ffff888105986800\n    [  287.670634] RBP: ffffc90000433da0 R08: 0000000000000000 R09: c0000000ffffefff\n    [  287.677771] R10: 0000000000000001 R11: ffffc90000433ba8 R12: ffff888105986800\n    [  287.684907] R13: 0000000000000000 R14: fffffffffffffe00 R15: ffff888100b6b500\n    [  287.692052] FS:  0000000000000000(0000) GS:ffff888277f80000(0000) knlGS:0000000000000000\n    [  287.700149] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n    [  287.705897] CR2: 0000000000000070 CR3: 000000000320a000 CR4: 0000000000350ee0\n    [  287.713033] Call Trace:\n    [  287.715498]  raid1d+0x6c/0xbbb [raid1]\n    [  287.719256]  ? __schedule+0x1ff/0x760\n    [  287.722930]  ? schedule+0x3b/0xb0\n    [  287.726260]  ? schedule_timeout+0x1ed/0x290\n    [  287.730456]  ? __switch_to+0x11f/0x400\n    [  287.734219]  md_thread+0xe9/0x140 [md_mod]\n    [  287.738328]  ? md_thread+0xe9/0x140 [md_mod]\n    [  287.742601]  ? wait_woken+0x80/0x80\n    [  287.746097]  ? md_register_thread+0xe0/0xe0 [md_mod]\n    [  287.751064]  kthread+0x11a/0x140\n    [  287.754300]  ? kthread_park+0x90/0x90\n    [  287.757974]  ret_from_fork+0x1f/0x30\n\nIn fact, when raid1 array run fail, we need to do\nmd_unregister_thread() before raid1_free().",
  "id": "GHSA-rrpf-vhv2-qw86",
  "modified": "2025-12-24T15:30:32Z",
  "published": "2025-12-24T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50715"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0c7c7468c3ae222e297b7dc74d6ccb69c4d0183c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/10d713532ffc67b13df61ed9c138a8ce0a186236"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/110f14a7b2eb5b8aa9df5af2d629524f2a07d543"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/19d5a0e17aba92b10d895e40ec782768cf00da23"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/22be44212cad8be96860346882d8e694b0b437b6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a3cc41e05e8af340a2a759b168c29fffdb9194eb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b611ad14006e5be2170d9e8e611bf49dff288911"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d26364596db8f8b55277b2afb3952e05a4057a21"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d684ceb77311410aeaf5189d321f9f564838c49a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.