CVE-2026-43271

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md-cluster: fix NULL pointer dereference in process_metadata_update<br /> <br /> The function process_metadata_update() blindly dereferences the &amp;#39;thread&amp;#39;<br /> pointer (acquired via rcu_dereference_protected) within the wait_event()<br /> macro.<br /> <br /> While the code comment states "daemon thread must exist", there is a valid<br /> race condition window during the MD array startup sequence (md_run):<br /> <br /> 1. bitmap_load() is called, which invokes md_cluster_ops-&gt;join().<br /> 2. join() starts the "cluster_recv" thread (recv_daemon).<br /> 3. At this point, recv_daemon is active and processing messages.<br /> 4. However, mddev-&gt;thread (the main MD thread) is not initialized until<br /> later in md_run().<br /> <br /> If a METADATA_UPDATED message is received from a remote node during this<br /> specific window, process_metadata_update() will be called while<br /> mddev-&gt;thread is still NULL, leading to a kernel panic.<br /> <br /> To fix this, we must validate the &amp;#39;thread&amp;#39; pointer. If it is NULL, we<br /> release the held lock (no_new_dev_lockres) and return early, safely<br /> ignoring the update request as the array is not yet fully ready to<br /> process it.