drivers:md:fix a potential use-after-free bug

jira VULN-69330
cve CVE-2022-50022
commit-author Wentao_Liang <Wentao_Liang_g@163.com>
commit 1042124

In line 2884, "raid5_release_stripe(sh);" drops the reference to sh and
may cause sh to be released. However, sh is subsequently used in lines
2886 "if (sh->batch_head && sh != sh->batch_head)". This may result in an
use-after-free bug.

It can be fixed by moving "raid5_release_stripe(sh);" to the bottom of
the function.

	Signed-off-by: Wentao_Liang <Wentao_Liang_g@163.com>
	Signed-off-by: Song Liu <song@kernel.org>
	Signed-off-by: Jens Axboe <axboe@kernel.dk>
(cherry picked from commit 1042124)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

Author: PlaidCat

drivers/md/raid5.c

@@ -2904,10 +2904,10 @@ static void raid5_end_write_request(struct bio *bi)
 	if (!test_and_clear_bit(R5_DOUBLE_LOCKED, &sh->dev[i].flags))
 		clear_bit(R5_LOCKED, &sh->dev[i].flags);
 	set_bit(STRIPE_HANDLE, &sh->state);
-	raid5_release_stripe(sh);
 
 	if (sh->batch_head && sh != sh->batch_head)
 		raid5_release_stripe(sh->batch_head);
+	raid5_release_stripe(sh);
 }
 
 static void raid5_error(struct mddev *mddev, struct md_rdev *rdev)