Patch "dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list" has been added to the 6.1-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     dmaengine-idxd-fix-possible-use-after-free-in-irq_pr.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit aad323b56ecffb6e3fa25c23bfac6bc6aaa97ff6
Author: Li RongQing <lirongqing@xxxxxxxxx>
Date:   Mon Jun 3 09:24:44 2024 +0800

    dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list
    
    [ Upstream commit e3215deca4520773cd2b155bed164c12365149a7 ]
    
    Use list_for_each_entry_safe() to allow iterating through the list and
    deleting the entry in the iteration process. The descriptor is freed via
    idxd_desc_complete() and there's a slight chance may cause issue for
    the list iterator when the descriptor is reused by another thread
    without it being deleted from the list.
    
    Fixes: 16e19e11228b ("dmaengine: idxd: Fix list corruption in description completion")
    Signed-off-by: Li RongQing <lirongqing@xxxxxxxxx>
    Reviewed-by: Dave Jiang <dave.jiang@xxxxxxxxx>
    Reviewed-by: Fenghua Yu <fenghua.yu@xxxxxxxxx>
    Link: https://lore.kernel.org/r/20240603012444.11902-1-lirongqing@xxxxxxxxx
    Signed-off-by: Vinod Koul <vkoul@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/dma/idxd/irq.c b/drivers/dma/idxd/irq.c
index aa314ebec5878..4a3eb96b8199a 100644
--- a/drivers/dma/idxd/irq.c
+++ b/drivers/dma/idxd/irq.c
@@ -454,11 +454,13 @@ static void irq_process_work_list(struct idxd_irq_entry *irq_entry)
 
 	spin_unlock(&irq_entry->list_lock);
 
-	list_for_each_entry(desc, &flist, list) {
+	list_for_each_entry_safe(desc, n, &flist, list) {
 		/*
 		 * Check against the original status as ABORT is software defined
 		 * and 0xff, which DSA_COMP_STATUS_MASK can mask out.
 		 */
+		list_del(&desc->list);
+
 		if (unlikely(desc->completion->status == IDXD_COMP_DESC_ABORT)) {
 			idxd_dma_complete_txd(desc, IDXD_COMPLETE_ABORT, true);
 			continue;




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux