AZL-76407

In the Linux kernel, the following vulnerability has been resolved:

fs: dlm: fix use after free in midcomms commit

While working on processing dlm message in softirq context I experienced the following KASAN use-after-free warning:

[ 151.760477] ================================================================== [ 151.761803] BUG: KASAN: use-after-free in dlmmidcommscommitmhandle+0x19d/0x4b0 [ 151.763414] Read of size 4 at addr ffff88811a980c60 by task locktorture/1347

[ 151.765284] CPU: 7 PID: 1347 Comm: locktorture Not tainted 6.1.0-rc4+ #2828 [ 151.766778] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+16134+e5908aa2 04/01/2014 [ 151.768726] Call Trace: [ 151.769277] <TASK> [ 151.769748] dumpstacklvl+0x5b/0x86 [ 151.770556] printreport+0x180/0x4c8 [ 151.771378] ? kasancompletemodereportinfo+0x7c/0x1e0 [ 151.772241] ? dlmmidcommscommitmhandle+0x19d/0x4b0 [ 151.773069] kasanreport+0x93/0x1a0 [ 151.773668] ? dlmmidcommscommit_mhandle+0x19d/0x4b0 [ 151.774514] __asanload4+0x7e/0xa0 [ 151.775089] dlmmidcommscommitmhandle+0x19d/0x4b0 [ 151.775890] ? createmessage.isra.29.constprop.64+0x57/0xc0 [ 151.776770] sendcommon+0x19f/0x1b0 [ 151.777342] ? removefromwaiters+0x60/0x60 [ 151.778017] ? lock_downgrade+0x410/0x410 [ 151.778648] ? __thiscpupreemptcheck+0x13/0x20 [ 151.779421] ? rculockdepcurrentcpuonline+0x88/0xc0 [ 151.780292] convertlock+0x46/0x150 [ 151.780893] convertlock+0x7b/0xc0 [ 151.781459] dlmlock+0x3ac/0x580 [ 151.781993] ? 0xffffffffc0540000 [ 151.782522] ? torturestop+0x120/0x120 [dlmlocktorture] [ 151.783379] ? dlmscanrsbs+0xa70/0xa70 [ 151.784003] ? preemptcountsub+0xd6/0x130 [ 151.784661] ? ismoduleaddress+0x47/0x70 [ 151.785309] ? torturestop+0x120/0x120 [dlmlocktorture] [ 151.786166] ? 0xffffffffc0540000 [ 151.786693] ? lockdepinitmaptype+0xc3/0x360 [ 151.787414] ? 0xffffffffc0540000 [ 151.787947] torturedlmlocksync.isra.3+0xe9/0x150 [dlmlocktorture] [ 151.789004] ? torturestop+0x120/0x120 [dlmlocktorture] [ 151.789858] ? 0xffffffffc0540000 [ 151.790392] ? locktorturecleanup+0x20/0x20 [dlmlocktorture] [ 151.791347] ? delaytsc+0x94/0xc0 [ 151.791898] tortureexiter+0xc3/0xea [dlmlocktorture] [ 151.792735] ? torturestart+0x30/0x30 [dlmlocktorture] [ 151.793606] locktorture+0x177/0x270 [dlmlocktorture] [ 151.794448] ? torturedlmlocksync.isra.3+0x150/0x150 [dlmlocktorture] [ 151.795539] ? locktorturestats+0x80/0x80 [dlmlocktorture] [ 151.796476] ? dorawspinlock+0x11e/0x1e0 [ 151.797152] ? markheldlocks+0x34/0xb0 [ 151.797784] ? rawspinunlock_irqrestore+0x30/0x70 [ 151.798581] ? __kthreadparkme+0x79/0x110 [ 151.799246] ? tracepreempt_on+0x2a/0xf0 [ 151.799902] ? __kthreadparkme+0x79/0x110 [ 151.800579] ? preemptcount_sub+0xd6/0x130 [ 151.801271] ? __kasancheckread+0x11/0x20 [ 151.801963] ? _kthreadparkme+0xec/0x110 [ 151.802630] ? locktorturestats+0x80/0x80 [dlmlocktorture] [ 151.803569] kthread+0x192/0x1d0 [ 151.804104] ? kthreadcompleteandexit+0x30/0x30 [ 151.804881] retfromfork+0x1f/0x30 [ 151.805480] </TASK>

[ 151.806111] Allocated by task 1347: [ 151.806681] kasansavestack+0x26/0x50 [ 151.807308] kasansettrack+0x25/0x30 [ 151.807920] kasansavealloc_info+0x1e/0x30 [ 151.808609] _kasanslaballoc+0x63/0x80 [ 151.809263] kmemcachealloc+0x1ad/0x830 [ 151.809916] dlmallocatemhandle+0x17/0x20 [ 151.810590] dlmmidcommsgetmhandle+0x96/0x260 [ 151.811344] createmessage+0x95/0x180 [ 151.811994] createmessage.isra.29.constprop.64+0x57/0xc0 [ 151.812880] sendcommon+0x129/0x1b0 [ 151.813467] convertlock+0x46/0x150 [ 151.814074] convertlock+0x7b/0xc0 [ 151.814648] dlmlock+0x3ac/0x580 [ 151.815199] torturedlmlocksync.isra.3+0xe9/0x150 [dlmlocktorture] [ 151.816258] tortureexiter+0xc3/0xea [dlmlocktorture] [ 151.817129] lockt ---truncated---