In the Linux kernel, the following vulnerability has been resolved:
md/md-bitmap: Synchronize bitmapgetstats() with bitmap lifetime
After commit ec6bb299c7c3 ("md/md-bitmap: add 'syncsize' into struct mdbitmap_stats"), following panic is reported:
Oops: general protection fault, probably for non-canonical address RIP: 0010:bitmapgetstats+0x2b/0xa0 Call Trace: <TASK> mdseqshow+0x2d2/0x5b0 seqreaditer+0x2b9/0x470 seqread+0x12f/0x180 procregread+0x57/0xb0 vfsread+0xf6/0x380 ksysread+0x6c/0xf0 dosyscall64+0x82/0x170 entrySYSCALL64after_hwframe+0x76/0x7e
Root cause is that bitmapgetstats() can be called at anytime if mddev is still there, even if bitmap is destroyed, or not fully initialized. Deferenceing bitmap in this case can crash the kernel. Meanwhile, the above commit start to deferencing bitmap->storage, make the problem easier to trigger.
Fix the problem by protecting bitmapgetstats() with bitmap_info.mutex.