Bug 2481957 (CVE-2026-46051) - CVE-2026-46051 kernel: md/raid5: fix soft lockup in retry_aligned_read()
Summary: CVE-2026-46051 kernel: md/raid5: fix soft lockup in retry_aligned_read()
Keywords:
Status: NEW
Alias: CVE-2026-46051
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-27 15:04 UTC by OSIDB Bzimport
Modified: 2026-05-27 19:15 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-27 15:04:15 UTC
In the Linux kernel, the following vulnerability has been resolved:

md/raid5: fix soft lockup in retry_aligned_read()

When retry_aligned_read() encounters an overlapped stripe, it releases
the stripe via raid5_release_stripe() which puts it on the lockless
released_stripes llist. In the next raid5d loop iteration,
release_stripe_list() drains the stripe onto handle_list (since
STRIPE_HANDLE is set by the original IO), but retry_aligned_read()
runs before handle_active_stripes() and removes the stripe from
handle_list via find_get_stripe() -> list_del_init(). This prevents
handle_stripe() from ever processing the stripe to resolve the
overlap, causing an infinite loop and soft lockup.

Fix this by using __release_stripe() with temp_inactive_list instead
of raid5_release_stripe() in the failure path, so the stripe does not
go through the released_stripes llist. This allows raid5d to break out
of its loop, and the overlap will be resolved when the stripe is
eventually processed by handle_stripe().


Note You need to log in before you can comment on or make changes to this bug.