[PATCH openEuler-22.03-LTS-SP1 V1] padata: use integer wrap around to prevent deadlock on seq_nr overflow - Kernel

25 Oct 2024

From: VanGiang Nguyen vangiang.nguyen@rohde-schwarz.com
stable inclusion
from stable-v5.10.227
commit 46c4079460f4dcaf445860679558eedef4e1bc91
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQSB
CVE: CVE-2024-47739
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit 9a22b2812393d93d84358a760c347c21939029a6 upstream.
When submitting more than 2^32 padata objects to padata_do_serial, the
current sorting implementation incorrectly sorts padata objects with
overflowed seq_nr, causing them to be placed before existing objects in
the reorder list. This leads to a deadlock in the serialization process
as padata_find_next cannot match padata->seq_nr and pd->processed
because the padata instance with overflowed seq_nr will be selected
next.
To fix this, we use an unsigned integer wrap around to correctly sort
padata objects in scenarios with integer overflow.
Fixes: bfde23ce200e ("padata: unbind parallel jobs from specific CPUs")
Cc: stable@vger.kernel.org
Co-developed-by: Christian Gafert christian.gafert@rohde-schwarz.com
Signed-off-by: Christian Gafert christian.gafert@rohde-schwarz.com
Co-developed-by: Max Ferger max.ferger@rohde-schwarz.com
Signed-off-by: Max Ferger max.ferger@rohde-schwarz.com
Signed-off-by: Van Giang Nguyen vangiang.nguyen@rohde-schwarz.com
Acked-by: Daniel Jordan daniel.m.jordan@oracle.com
Signed-off-by: Herbert Xu herbert@gondor.apana.org.au
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Conflicts:
        kernel/padata.c
[Conflicts due to 7033f87927d5 ("padata: Fix list iterator in
padata_do_serial()") not merged.]
Signed-off-by: Cheng Yu serein.chengyu@huawei.com
---
 kernel/padata.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/kernel/padata.c b/kernel/padata.c
index 915945c932db..09e6207048aa 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -404,9 +404,11 @@ void padata_do_serial(struct padata_priv *padata)
spin_lock(&reorder->lock);
    /* Sort in ascending order of sequence number. */
-	list_for_each_entry_reverse(cur, &reorder->list, list)
-		if (cur->seq_nr < padata->seq_nr)
+	list_for_each_entry_reverse(cur, &reorder->list, list) {
+		/* Compare by difference to consider integer wrap around */
+		if ((signed int)(cur->seq_nr - padata->seq_nr) < 0)
    		break;
+	}
    list_add(&padata->list, &cur->list);
    spin_unlock(&reorder->lock);
-- 
2.25.1


    