CVE-2025-22126

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md: fix mddev uaf while iterating all_mddevs list<br /> <br /> While iterating all_mddevs list from md_notify_reboot() and md_exit(),<br /> list_for_each_entry_safe is used, and this can race with deletint the<br /> next mddev, causing UAF:<br /> <br /> t1:<br /> spin_lock<br /> //list_for_each_entry_safe(mddev, n, ...)<br /> mddev_get(mddev1)<br /> // assume mddev2 is the next entry<br /> spin_unlock<br /> t2:<br /> //remove mddev2<br /> ...<br /> mddev_free<br /> spin_lock<br /> list_del<br /> spin_unlock<br /> kfree(mddev2)<br /> mddev_put(mddev1)<br /> spin_lock<br /> //continue dereference mddev2-&gt;all_mddevs<br /> <br /> The old helper for_each_mddev() actually grab the reference of mddev2<br /> while holding the lock, to prevent from being freed. This problem can be<br /> fixed the same way, however, the code will be complex.<br /> <br /> Hence switch to use list_for_each_entry, in this case mddev_put() can free<br /> the mddev1 and it&amp;#39;s not safe as well. Refer to md_seq_show(), also factor<br /> out a helper mddev_put_locked() to fix this problem.