5.5
CVE-2026-46050
- EPSS 0.1%
- Veröffentlicht 27.05.2026 12:57:06
- Zuletzt bearbeitet 16.06.2026 15:02:57
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
md/raid10: fix deadlock with check operation and nowait requests
In the Linux kernel, the following vulnerability has been resolved:
md/raid10: fix deadlock with check operation and nowait requests
When an array check is running it will raise the barrier at which point
normal requests will become blocked and increment the nr_pending value to
signal there is work pending inside of wait_barrier(). NOWAIT requests
do not block and so will return immediately with an error, and additionally
do not increment nr_pending in wait_barrier(). Upstream change commit
43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") added a
call to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit
this condition. raid_end_bio_io() eventually calls allow_barrier() and
it will unconditionally do an atomic_dec_and_test(&conf->nr_pending) even
though the corresponding increment on nr_pending didn't happen in the
NOWAIT case.
This can be easily seen by starting a check operation while an application
is doing nowait IO on the same array. This results in a deadlocked state
due to nr_pending value underflowing and so the md resync thread gets stuck
waiting for nr_pending to == 0.
Output of r10conf state of the array when we hit this condition:
crash> struct r10conf
barrier = 1,
nr_pending = {
counter = -41
},
nr_waiting = 15,
nr_queued = 0,
Example of md_sync thread stuck waiting on raise_barrier() and other
requests stuck in wait_barrier():
md1_resync
[<0>] raise_barrier+0xce/0x1c0
[<0>] raid10_sync_request+0x1ca/0x1ed0
[<0>] md_do_sync+0x779/0x1110
[<0>] md_thread+0x90/0x160
[<0>] kthread+0xbe/0xf0
[<0>] ret_from_fork+0x34/0x50
[<0>] ret_from_fork_asm+0x1a/0x30
kworker/u1040:2+flush-253:4
[<0>] wait_barrier+0x1de/0x220
[<0>] regular_request_wait+0x30/0x180
[<0>] raid10_make_request+0x261/0x1000
[<0>] md_handle_request+0x13b/0x230
[<0>] __submit_bio+0x107/0x1f0
[<0>] submit_bio_noacct_nocheck+0x16f/0x390
[<0>] ext4_io_submit+0x24/0x40
[<0>] ext4_do_writepages+0x254/0xc80
[<0>] ext4_writepages+0x84/0x120
[<0>] do_writepages+0x7a/0x260
[<0>] __writeback_single_inode+0x3d/0x300
[<0>] writeback_sb_inodes+0x1dd/0x470
[<0>] __writeback_inodes_wb+0x4c/0xe0
[<0>] wb_writeback+0x18b/0x2d0
[<0>] wb_workfn+0x2a1/0x400
[<0>] process_one_work+0x149/0x330
[<0>] worker_thread+0x2d2/0x410
[<0>] kthread+0xbe/0xf0
[<0>] ret_from_fork+0x34/0x50
[<0>] ret_from_fork_asm+0x1a/0x30Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 5.15.189 < 5.15.209
Linux ≫ Linux Kernel Version >= 6.1.146 < 6.1.175
Linux ≫ Linux Kernel Version >= 6.6.99 < 6.6.140
Linux ≫ Linux Kernel Version >= 6.12.39 < 6.12.86
Linux ≫ Linux Kernel Version >= 6.15.7 < 6.16
Linux ≫ Linux Kernel Version >= 6.16.1 < 6.18.27
Linux ≫ Linux Kernel Version >= 6.19 < 7.0.4
Linux ≫ Linux Kernel Version6.16 Update-
Linux ≫ Linux Kernel Version6.16 Updaterc6
Linux ≫ Linux Kernel Version6.16 Updaterc7
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.1% | 0.008 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
|
CWE-667 Improper Locking
The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
https://git.kernel.org/stable/c/965d6162dd88cc7cc193cf7f5bfc132d8bbf0523
https://git.kernel.org/stable/c/42fe37c90184cd1568838b84b488934c3671c963
https://git.kernel.org/stable/c/cac2106bb9a2180b288079b49ed626414fb5bc45
https://git.kernel.org/stable/c/1cdff2937c618f81058422bbdc4974a3e7ec9379
https://git.kernel.org/stable/c/7d96f3120a7fb7210d21b520c5b6f495da6ba436
https://git.kernel.org/stable/c/2249983d971e6839b36284e6610390b2c217dfa1
https://git.kernel.org/stable/c/ae356d5eb1331d678985799f893e436314834a87