From: VanGiang Nguyen vangiang.nguyen@rohde-schwarz.com
stable inclusion from stable-v5.10.227 commit 46c4079460f4dcaf445860679558eedef4e1bc91 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQSB CVE: CVE-2024-47739
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit 9a22b2812393d93d84358a760c347c21939029a6 upstream.
When submitting more than 2^32 padata objects to padata_do_serial, the current sorting implementation incorrectly sorts padata objects with overflowed seq_nr, causing them to be placed before existing objects in the reorder list. This leads to a deadlock in the serialization process as padata_find_next cannot match padata->seq_nr and pd->processed because the padata instance with overflowed seq_nr will be selected next.
To fix this, we use an unsigned integer wrap around to correctly sort padata objects in scenarios with integer overflow.
Fixes: bfde23ce200e ("padata: unbind parallel jobs from specific CPUs") Cc: stable@vger.kernel.org Co-developed-by: Christian Gafert christian.gafert@rohde-schwarz.com Signed-off-by: Christian Gafert christian.gafert@rohde-schwarz.com Co-developed-by: Max Ferger max.ferger@rohde-schwarz.com Signed-off-by: Max Ferger max.ferger@rohde-schwarz.com Signed-off-by: Van Giang Nguyen vangiang.nguyen@rohde-schwarz.com Acked-by: Daniel Jordan daniel.m.jordan@oracle.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Conflicts: kernel/padata.c [Conflicts due to 7033f87927d5 ("padata: Fix list iterator in padata_do_serial()") not merged.] Signed-off-by: Cheng Yu serein.chengyu@huawei.com --- kernel/padata.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/padata.c b/kernel/padata.c index 915945c932db..09e6207048aa 100644 --- a/kernel/padata.c +++ b/kernel/padata.c @@ -404,9 +404,11 @@ void padata_do_serial(struct padata_priv *padata)
spin_lock(&reorder->lock); /* Sort in ascending order of sequence number. */ - list_for_each_entry_reverse(cur, &reorder->list, list) - if (cur->seq_nr < padata->seq_nr) + list_for_each_entry_reverse(cur, &reorder->list, list) { + /* Compare by difference to consider integer wrap around */ + if ((signed int)(cur->seq_nr - padata->seq_nr) < 0) break; + } list_add(&padata->list, &cur->list); spin_unlock(&reorder->lock);
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/12408 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/Q...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/12408 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/Q...