In the Linux kernel, the following vulnerability has been resolved:
md/bitmap: fix GPF in write_page caused by resize race
A General Protection Fault occurs in write_page() during array resize: RIP: 0010:write_page+0x22b/0x3c0 [md_mod]
This is a use-after-free race between bitmap_daemon_work() and
__bitmap_resize(). The daemon iterates over bitmap->storage.filemap
without locking, while the resize path frees that storage via
md_bitmap_file_unmap(). quiesce() does not stop the md thread,
allowing concurrent access to freed pages.
Fix by holding mddev->bitmap_info.mutex during the bitmap update.
Exploitability
AV:LAC:HPR:LUI:NScope
S:UImpact
C:NI:NA:H4.7/CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H