DEBIAN-CVE-2024-27023
In the Linux kernel, the following vulnerability has been resolved: md: Fix missing release of 'active_io' for flush submit_flushes atomic_set(&mddev->flush_pending, 1); rdev_for_each_rcu(rdev, mddev) atomic_inc(&mddev->flush_pending); bi->bi_end_io = md_end_flush submit_bio(bi); /* flush io is done first */ md_end_flush if (atomic_dec_and_test(&mddev->flush_pending)) percpu_ref_put(&mddev->active_io) -> active_io is not released if (atomic_dec_and_test(&mddev->flush_pending)) -> missing release of active_io For consequence, mddev_suspend() will wait for 'active_io' to be zero forever. Fix this problem by releasing 'active_io' in submit_flushes() if 'flush_pending' is decreased to zero.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | linux | 6.1.55-1, 6.1.69-1, 6.1.76-1 |
| Debian:13 | linux | 0, 0 |
| Debian:14 | linux | 0, 0 |
Timeline
- May 1, 2024 CVE Published
- Apr 28, 2026 CVE Updated