CVE-2022-50084

In the Linux kernel, the following vulnerability has been resolved:

dm raid: fix address sanitizer warning in raid_status

There is this warning when using a kernel with the address sanitizer and running this testsuite: https://gitlab.com/cki-project/kernel-tests/-/tree/main/storage/swraid/scsi_raid

================================================================== BUG: KASAN: slab-out-of-bounds in raidstatus+0x1747/0x2820 [dmraid] Read of size 4 at addr ffff888079d2c7e8 by task lvcreate/13319 CPU: 0 PID: 13319 Comm: lvcreate Not tainted 5.18.0-0.rc3.<snip> #1 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: <TASK> dumpstacklvl+0x6a/0x9c printaddressdescription.constprop.0+0x1f/0x1e0 printreport.cold+0x55/0x244 kasanreport+0xc9/0x100 raidstatus+0x1747/0x2820 [dmraid] dmimameasureontableload+0x4b8/0xca0 [dmmod] tableload+0x35c/0x630 [dmmod] ctlioctl+0x411/0x630 [dmmod] dmctlioctl+0xa/0x10 [dm_mod] __x64sysioctl+0x12a/0x1a0 dosyscall64+0x5b/0x80

The warning is caused by reading conf->maxnrstripes in raidstatus. The code in raidstatus reads mddev->private, casts it to struct r5conf and reads the entry maxnrstripes.

However, if we have different raid type than 4/5/6, mddev->private doesn't point to struct r5conf; it may point to struct r0conf, struct r1conf, struct r10conf or struct mpconf. If we cast a pointer to one of these structs to struct r5conf, we will be reading invalid memory and KASAN warns about it.

Fix this bug by reading struct r5conf only if raid type is 4, 5 or 6.