CVE-2025-71225

In the Linux kernel, the following vulnerability has been resolved:

md: suspend array while updating raid_disks via sysfs

In raid1reshape(), freezearray() is called before modifying the r1bio memory pool (conf->r1biopool) and conf->raiddisks, and unfreeze_array() is called after the update is completed.

However, freezearray() only waits until nrsyncpending and (nrpending - nrqueued) of all buckets reaches zero. When an I/O error occurs, nrqueued is increased and the corresponding r1bio is queued to either retrylist or bioendiolist. As a result, freeze_array() may unblock before these r1bios are released.

This can lead to a situation where conf->raiddisks and the mempool have already been updated while queued r1bios, allocated with the old raiddisks value, are later released. Consequently, freer1bio() may access memory out of bounds in putall_bios() and release r1bios of the wrong size to the new mempool, potentially causing issues with the mempool as well.

Since only normal I/O might increase nr_queued while an I/O error occurs, suspending the array avoids this issue.

Note: Updating raiddisks via ioctl SETARRAYINFO already suspends the array. Therefore, we suspend the array when updating raiddisks via sysfs to avoid this issue too.