Bug 2429581 (CVE-2025-71135) - CVE-2025-71135 kernel: md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt()
Summary: CVE-2025-71135 kernel: md/raid5: fix possible null-pointer dereferences in ra...
Keywords:
Status: NEW
Alias: CVE-2025-71135
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-14 16:02 UTC by OSIDB Bzimport
Modified: 2026-01-14 20:55 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-14 16:02:01 UTC 
In the Linux kernel, the following vulnerability has been resolved:

md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt()

The variable mddev->private is first assigned to conf and then checked:

  conf = mddev->private;
  if (!conf) ...

If conf is NULL, then mddev->private is also NULL. In this case,
null-pointer dereferences can occur when calling raid5_quiesce():

  raid5_quiesce(mddev, true);
  raid5_quiesce(mddev, false);

since mddev->private is assigned to conf again in raid5_quiesce(), and conf
is dereferenced in several places, for example:

  conf->quiesce = 0;
  wake_up(&conf->wait_for_quiescent);

To fix this issue, the function should unlock mddev and return before
invoking raid5_quiesce() when conf is NULL, following the existing pattern
in raid5_change_consistency_policy().
Comment 1 Jon Moroney 2026-01-14 20:52:29 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026011453-CVE-2025-71135-9522@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.