{"id":"CVE-2025-71225","summary":"md: suspend array while updating raid_disks via sysfs","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmd: suspend array while updating raid_disks via sysfs\n\nIn raid1_reshape(), freeze_array() is called before modifying the r1bio\nmemory pool (conf-\u003er1bio_pool) and conf-\u003eraid_disks, and\nunfreeze_array() is called after the update is completed.\n\nHowever, freeze_array() only waits until nr_sync_pending and\n(nr_pending - nr_queued) of all buckets reaches zero. When an I/O error\noccurs, nr_queued is increased and the corresponding r1bio is queued to\neither retry_list or bio_end_io_list. As a result, freeze_array() may\nunblock before these r1bios are released.\n\nThis can lead to a situation where conf-\u003eraid_disks and the mempool have\nalready been updated while queued r1bios, allocated with the old\nraid_disks value, are later released. Consequently, free_r1bio() may\naccess memory out of bounds in put_all_bios() and release r1bios of the\nwrong size to the new mempool, potentially causing issues with the\nmempool as well.\n\nSince only normal I/O might increase nr_queued while an I/O error occurs,\nsuspending the array avoids this issue.\n\nNote: Updating raid_disks via ioctl SET_ARRAY_INFO already suspends\nthe array. Therefore, we suspend the array when updating raid_disks\nvia sysfs to avoid this issue too.","modified":"2026-04-28T18:44:35.099805795Z","published":"2026-02-18T14:21:46.249Z","related":["SUSE-SU-2026:0962-1","SUSE-SU-2026:1081-1","SUSE-SU-2026:20667-1","SUSE-SU-2026:20720-1","SUSE-SU-2026:20838-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","SUSE-SU-2026:20931-1","SUSE-SU-2026:21284-1","openSUSE-SU-2026:20416-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71225.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0107b18cd8ac17eb3e54786adc05a85cdbb6ef22"},{"type":"WEB","url":"https://git.kernel.org/stable/c/165d1359f945b72c5f90088f60d48ff46115269e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2cc583653bbe050bacd1cadcc9776d39bf449740"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71225.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71225"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e2d59925221cd562e07fee38ec8839f7209ae603"},{"fixed":"165d1359f945b72c5f90088f60d48ff46115269e"},{"fixed":"0107b18cd8ac17eb3e54786adc05a85cdbb6ef22"},{"fixed":"2cc583653bbe050bacd1cadcc9776d39bf449740"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"1b9203bb4c658c0242afa6fdb025c71d2fc3ad76"},{"last_affected":"8ccf6cfb157419847f3cb2bfdfbcdbd39860e8e9"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71225.json"}}],"schema_version":"1.7.5"}