CVE-2025-38621

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md: make rdev_addable usable for rcu mode<br /> <br /> Our testcase trigger panic:<br /> <br /> BUG: kernel NULL pointer dereference, address: 00000000000000e0<br /> ...<br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> CPU: 2 UID: 0 PID: 85 Comm: kworker/2:1 Not tainted 6.16.0+ #94<br /> PREEMPT(none)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS<br /> 1.16.1-2.fc37 04/01/2014<br /> Workqueue: md_misc md_start_sync<br /> RIP: 0010:rdev_addable+0x4d/0xf0<br /> ...<br /> Call Trace:<br /> <br /> md_start_sync+0x329/0x480<br /> process_one_work+0x226/0x6d0<br /> worker_thread+0x19e/0x340<br /> kthread+0x10f/0x250<br /> ret_from_fork+0x14d/0x180<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> Modules linked in: raid10<br /> CR2: 00000000000000e0<br /> ---[ end trace 0000000000000000 ]---<br /> RIP: 0010:rdev_addable+0x4d/0xf0<br /> <br /> md_spares_need_change in md_start_sync will call rdev_addable which<br /> protected by rcu_read_lock/rcu_read_unlock. This rcu context will help<br /> protect rdev won&amp;#39;t be released, but rdev-&gt;mddev will be set to NULL<br /> before we call synchronize_rcu in md_kick_rdev_from_array. Fix this by<br /> using READ_ONCE and check does rdev-&gt;mddev still alive.