From: Olivier Dautricourt <olivierdautricourt@gmail.com> mainline inclusion from mainline-v6.11-rc1 commit 54e4ada1a4206f878e345ae01cf37347d803d1b1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARVBS CVE: CVE-2024-46716 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Remove list_del call in msgdma_chan_desc_cleanup, this should be the role of msgdma_free_descriptor. In consequence replace list_add_tail with list_move_tail in msgdma_free_descriptor. This fixes the path: msgdma_free_chan_resources -> msgdma_free_descriptors -> msgdma_free_desc_list -> msgdma_free_descriptor which does not correctly free the descriptors as first nodes were not removed from the list. Signed-off-by: Olivier Dautricourt <olivierdautricourt@gmail.com> Tested-by: Olivier Dautricourt <olivierdautricourt@gmail.com> Link: https://lore.kernel.org/r/20240608213216.25087-3-olivierdautricourt@gmail.co... Signed-off-by: Vinod Koul <vkoul@kernel.org> Conflicts: drivers/dma/altera-msgdma.c [Context conflicts due to a34da7ef9a8c ("dmaengine: altera-msgdma: Correctly handle descriptor callbacks") is not merged.] Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com> --- drivers/dma/altera-msgdma.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/dma/altera-msgdma.c b/drivers/dma/altera-msgdma.c index 9a841ce5f0c5..d7a16a45a2d8 100644 --- a/drivers/dma/altera-msgdma.c +++ b/drivers/dma/altera-msgdma.c @@ -232,7 +232,7 @@ static void msgdma_free_descriptor(struct msgdma_device *mdev, struct msgdma_sw_desc *child, *next; mdev->desc_free_cnt++; - list_add_tail(&desc->node, &mdev->free_list); + list_move_tail(&desc->node, &mdev->free_list); list_for_each_entry_safe(child, next, &desc->tx_list, node) { mdev->desc_free_cnt++; list_move_tail(&child->node, &mdev->free_list); @@ -587,8 +587,6 @@ static void msgdma_chan_desc_cleanup(struct msgdma_device *mdev) dma_async_tx_callback callback; void *callback_param; - list_del(&desc->node); - callback = desc->async_tx.callback; callback_param = desc->async_tx.callback_param; if (callback) { -- 2.34.1