DEBIAN-CVE-2022-50381

In the Linux kernel, the following vulnerability has been resolved: md: fix a crash in mempoolfree There's a crash in mempoolfree when running the lvm test shell/lvchange-rebuild-raid.sh. The reason for the crash is this: * superwritten calls atomicdecandtest(&mddev->pendingwrites) and wakeup(&mddev->sbwait). Then it calls rdevdecpending(rdev, mddev) and bioput(bio). * so, the process that waited on sbwait and that is woken up is racing with bioput(bio). * if the process wins the race, it calls biosetexit before bioput(bio) is executed. * bioput(bio) attempts to free a bio into a destroyed bio set - causing a crash in mempoolfree. We fix this bug by moving bioput before atomicdecandtest. We also move rdevdecpending before atomicdecandtest as suggested by Neil Brown. The function mdendflush has a similar bug - we must call bioput before we decrement the number of in-progress bios. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor write access in kernel mode #PF: errorcode(0x0002) - not-present page PGD 11557f0067 P4D 11557f0067 PUD 0 Oops: 0002 [#1] PREEMPT SMP CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 6.1.0-rc3 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Workqueue: kdelayd flushexpiredbios [dmdelay] RIP: 0010:mempoolfree+0x47/0x80 Code: 48 89 ef 5b 5d ff e0 f3 c3 48 89 f7 e8 32 45 3f 00 48 63 53 08 48 89 c6 3b 53 04 7d 2d 48 8b 43 10 8d 4a 01 48 89 df 89 4b 08 <48> 89 2c d0 e8 b0 45 3f 00 48 8d 7b 30 5b 5d 31 c9 ba 01 00 00 00 RSP: 0018:ffff88910036bda8 EFLAGS: 00010093 RAX: 0000000000000000 RBX: ffff8891037b65d8 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff8891037b65d8 RBP: ffff8891447ba240 R08: 0000000000012908 R09: 00000000003d0900 R10: 0000000000000000 R11: 0000000000173544 R12: ffff889101a14000 R13: ffff8891562ac300 R14: ffff889102b41440 R15: ffffe8ffffa00d05 FS: 0000000000000000(0000) GS:ffff88942fa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000001102e99000 CR4: 00000000000006b0 Call Trace: <TASK> cloneendio+0xf4/0x1c0 [dmmod] cloneendio+0xf4/0x1c0 [dmmod] _submitbio+0x76/0x120 submitbionoacctnocheck+0xb6/0x2a0 flushexpiredbios+0x28/0x2f [dmdelay] processonework+0x1b4/0x300 workerthread+0x45/0x3e0 ? rescuerthread+0x380/0x380 kthread+0xc2/0x100 ? kthreadcompleteandexit+0x20/0x20 retfromfork+0x1f/0x30 </TASK> Modules linked in: brd dmdelay dmraid dmmod afpacket uvesafb cfbfillrect cfbimgblt cn cfbcopyarea fb font fbdev tun autofs4 binfmtmisc configfs ipv6 virtiorng virtioballoon rngcore virtionet pcspkr netfailover failover qemufwcfg button mousedev raid10 raid456 libcrc32c asyncraid6recov asyncmemcpy asyncpq raid6pq asyncxor xor asynctx raid1 raid0 mdmod sdmod t10pi crc64rocksoft crc64 virtioscsi scsimod evdev psmouse bsg scsicommon [last unloaded: brd] CR2: 0000000000000000 ---[ end trace 0000000000000000 ]---