CVE-2025-21712

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime<br /> <br /> After commit ec6bb299c7c3 ("md/md-bitmap: add &amp;#39;sync_size&amp;#39; into struct<br /> md_bitmap_stats"), following panic is reported:<br /> <br /> Oops: general protection fault, probably for non-canonical address<br /> RIP: 0010:bitmap_get_stats+0x2b/0xa0<br /> Call Trace:<br /> <br /> md_seq_show+0x2d2/0x5b0<br /> seq_read_iter+0x2b9/0x470<br /> seq_read+0x12f/0x180<br /> proc_reg_read+0x57/0xb0<br /> vfs_read+0xf6/0x380<br /> ksys_read+0x6c/0xf0<br /> do_syscall_64+0x82/0x170<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Root cause is that bitmap_get_stats() can be called at anytime if mddev<br /> is still there, even if bitmap is destroyed, or not fully initialized.<br /> Deferenceing bitmap in this case can crash the kernel. Meanwhile, the<br /> above commit start to deferencing bitmap-&gt;storage, make the problem<br /> easier to trigger.<br /> <br /> Fix the problem by protecting bitmap_get_stats() with bitmap_info.mutex.