HIGH
md LLBitmap Leak
CVE-2026-45955
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
KernelScan AI4.4MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: md/md-llbitmap: fix percpu_ref not resurrected on suspend timeout When llbitmap_suspend_timeout() times out waiting for percpu_ref to become zero, it returns -ETIMEDOUT without resurrecting the percpu_ref. The caller (md_llbitmap_daemon_fn) then continues to the next page without calling llbitmap_resume(), leaving the percpu_ref in a killed state permanently. Fix this by resurrecting the percpu_ref before returning the error, ensuring the page control structure remains usable for subsequent operations.
02KernelScan AI Analysis
Risk summary
Systems using MD RAID arrays with the new lockless bitmap feature are at risk of permanent resource unavailability when bitmap suspend operations timeout. This can cause MD array operations to fail permanently, requiring system restart to recover. Only affects systems with root-configured MD arrays using the lockless bitmap feature introduced in kernel 6.18.
Vulnerability analysis
The vulnerability occurs in the MD lockless bitmap suspend timeout handling where percpu_ref resources are not properly restored on timeout. When llbitmap_suspend_timeout() times out waiting for percpu_ref to become zero, it kills the percpu_ref but fails to resurrect it before returning error, leaving the page control structure permanently unusable. The fix adds percpu_ref_resurrect() before returning timeout error, ensuring the resource remains usable for subsequent operations. This is a local privilege escalation requiring CAP_SYS_ADMIN to configure MD arrays.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.14 | 095417d6b669 |
| 6.19 | 6.19.4 | 2446d0993501 |
| mainline | 7.0 | d119bd2e1643 |