cve/published/2022/CVE-2022-49259.mbox

From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2022-49259: block: don't delete queue kobject before its children

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

block: don't delete queue kobject before its children

kobjects aren't supposed to be deleted before their child kobjects are
deleted.  Apparently this is usually benign; however, a WARN will be
triggered if one of the child kobjects has a named attribute group:

    sysfs group 'modes' not found for kobject 'crypto'
    WARNING: CPU: 0 PID: 1 at fs/sysfs/group.c:278 sysfs_remove_group+0x72/0x80
    ...
    Call Trace:
      sysfs_remove_groups+0x29/0x40 fs/sysfs/group.c:312
      __kobject_del+0x20/0x80 lib/kobject.c:611
      kobject_cleanup+0xa4/0x140 lib/kobject.c:696
      kobject_release lib/kobject.c:736 [inline]
      kref_put include/linux/kref.h:65 [inline]
      kobject_put+0x53/0x70 lib/kobject.c:753
      blk_crypto_sysfs_unregister+0x10/0x20 block/blk-crypto-sysfs.c:159
      blk_unregister_queue+0xb0/0x110 block/blk-sysfs.c:962
      del_gendisk+0x117/0x250 block/genhd.c:610

Fix this by moving the kobject_del() and the corresponding
kobject_uevent() to the correct place.

The Linux kernel CVE team has assigned CVE-2022-49259 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.16 with commit 2c2086afc2b8b974fac32cb028e73dc27bfae442 and fixed in 4.19.238 with commit b2001eb10f59363da930cdd6e086a2861986fa18
	Issue introduced in 4.16 with commit 2c2086afc2b8b974fac32cb028e73dc27bfae442 and fixed in 5.4.189 with commit 84fe3ca6e7910beb47ec13509d484f84fa2a41ad
	Issue introduced in 4.16 with commit 2c2086afc2b8b974fac32cb028e73dc27bfae442 and fixed in 5.10.110 with commit 0b5924a14d64487ebd51127b0358d06066ef5384
	Issue introduced in 4.16 with commit 2c2086afc2b8b974fac32cb028e73dc27bfae442 and fixed in 5.15.33 with commit efaa0e969261e97c1fdd8e0338e5dd3ba5b9219c
	Issue introduced in 4.16 with commit 2c2086afc2b8b974fac32cb028e73dc27bfae442 and fixed in 5.16.19 with commit cf0cb8686e55d9c022944bc6ba9e19e832889e83
	Issue introduced in 4.16 with commit 2c2086afc2b8b974fac32cb028e73dc27bfae442 and fixed in 5.17.2 with commit 3d7e32c8da45957326f56937e0471c686d1a7711
	Issue introduced in 4.16 with commit 2c2086afc2b8b974fac32cb028e73dc27bfae442 and fixed in 5.18 with commit 0f69288253e9fc7c495047720e523b9f1aba5712

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49259
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	block/blk-sysfs.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/b2001eb10f59363da930cdd6e086a2861986fa18
	https://git.kernel.org/stable/c/84fe3ca6e7910beb47ec13509d484f84fa2a41ad
	https://git.kernel.org/stable/c/0b5924a14d64487ebd51127b0358d06066ef5384
	https://git.kernel.org/stable/c/efaa0e969261e97c1fdd8e0338e5dd3ba5b9219c
	https://git.kernel.org/stable/c/cf0cb8686e55d9c022944bc6ba9e19e832889e83
	https://git.kernel.org/stable/c/3d7e32c8da45957326f56937e0471c686d1a7711
	https://git.kernel.org/stable/c/0f69288253e9fc7c495047720e523b9f1aba5712