CVE-2022-50211

In the Linux kernel, the following vulnerability has been resolved:

md-raid10: fix KASAN warning

There's a KASAN warning in raid10removedisk when running the lvm test lvconvert-raid-reshape.sh. We fix this warning by verifying that the value "number" is valid.

BUG: KASAN: slab-out-of-bounds in raid10removedisk+0x61/0x2a0 [raid10] Read of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682

CPU: 3 PID: 124682 Comm: mdXraid10 Not tainted 5.19.0-rc6 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x34/0x44 printreport.cold+0x45/0x57a ? _locktextstart+0x18/0x18 ? raid10removedisk+0x61/0x2a0 [raid10] kasanreport+0xa8/0xe0 ? raid10removedisk+0x61/0x2a0 [raid10] raid10removedisk+0x61/0x2a0 [raid10] Buffer I/O error on dev dm-76, logical block 15344, async page read ? _mutexunlockslowpath.constprop.0+0x1e0/0x1e0 removeandaddspares+0x367/0x8a0 [mdmod] ? superwritten+0x1c0/0x1c0 [mdmod] ? mutextrylock+0xac/0x120 ? rawspinlock+0x72/0xc0 ? _rawspinlockbh+0xc0/0xc0 mdcheckrecovery+0x848/0x960 [mdmod] raid10d+0xcf/0x3360 [raid10] ? schedclockcpu+0x185/0x1a0 ? rberase+0x4d4/0x620 ? varwakefunction+0xe0/0xe0 ? psigroupchange+0x411/0x500 ? preemptcountsub+0xf/0xc0 ? rawspinlockirqsave+0x78/0xc0 ? _locktextstart+0x18/0x18 ? raid10syncrequest+0x36c0/0x36c0 [raid10] ? preemptcountsub+0xf/0xc0 ? _rawspinunlockirqrestore+0x19/0x40 ? deltimersync+0xa9/0x100 ? trytodeltimersync+0xc0/0xc0 ? rawspinlockirqsave+0x78/0xc0 ? _locktextstart+0x18/0x18 ? _rawspinunlockirq+0x11/0x24 ? _listdelentryvalid+0x68/0xa0 ? finishwait+0xa3/0x100 mdthread+0x161/0x260 [mdmod] ? unregistermdpersonality+0xa0/0xa0 [mdmod] ? rawspinlockirqsave+0x78/0xc0 ? preparetowaitevent+0x2c0/0x2c0 ? unregistermdpersonality+0xa0/0xa0 [mdmod] kthread+0x148/0x180 ? kthreadcompleteandexit+0x20/0x20 retfrom_fork+0x1f/0x30 </TASK>

Allocated by task 124495: kasansavestack+0x1e/0x40 _kasankmalloc+0x80/0xa0 setupconf+0x140/0x5c0 [raid10] raid10run+0x4cd/0x740 [raid10] mdrun+0x6f9/0x1300 [mdmod] raidctr+0x2531/0x4ac0 [dmraid] dmtableaddtarget+0x2b0/0x620 [dmmod] tableload+0x1c8/0x400 [dmmod] ctlioctl+0x29e/0x560 [dmmod] dmcompatctlioctl+0x7/0x20 [dmmod] _docompatsysioctl+0xfa/0x160 dosyscall64+0x90/0xc0 entrySYSCALL64afterhwframe+0x46/0xb0

Last potentially related work creation: kasansavestack+0x1e/0x40 _kasanrecordauxstack+0x9e/0xc0 kvfreecallrcu+0x84/0x480 timerfdrelease+0x82/0x140 L _fput+0xfa/0x400 taskworkrun+0x80/0xc0 exittousermodeprepare+0x155/0x160 syscallexittousermode+0x12/0x40 dosyscall64+0x42/0xc0 entrySYSCALL64afterhwframe+0x46/0xb0

Second to last potentially related work creation: kasansavestack+0x1e/0x40 _kasanrecordauxstack+0x9e/0xc0 kvfreecallrcu+0x84/0x480 timerfdrelease+0x82/0x140 _fput+0xfa/0x400 taskworkrun+0x80/0xc0 exittousermodeprepare+0x155/0x160 syscallexittousermode+0x12/0x40 dosyscall64+0x42/0xc0 entrySYSCALL64afterhwframe+0x46/0xb0

The buggy address belongs to the object at ffff889108f3d200 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 0 bytes to the right of 256-byte region [ffff889108f3d200, ffff889108f3d300)

The buggy address belongs to the physical page: page:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1108f3c head:000000007ef2a34c order:2 compoundmapcount:0 compoundpincount:0 flags: 0x4000000000010200(slab|head|zone=2) raw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff889108f3d280: 00 00 ---truncated---