From patchwork Mon May 27 06:19:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Li RongQing X-Patchwork-Id: 13674597 Received: from njjs-sys-mailin01.njjs.baidu.com (mx311.baidu.com [180.101.52.76]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7E54D184E for ; Mon, 27 May 2024 06:26:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=180.101.52.76 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716791167; cv=none; b=nhtqyyOhcinXCwSV1d8tm65wp2l3Kic8Lg7IBkCy6JWGFGXr601sHPQQQOjIzm4+5/B9JqgX6Kx4yDm9aTVmb0ZzQZ6fJK7UgCHyDuiZxH4Z5BSkNPm64An8Zm6YixAk9kAetXMsFEIH74ug6W3P7dM8Dj1S1sE+POgSukUoUC8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716791167; c=relaxed/simple; bh=9U+0lmhskMlFEImqoA7pWnnb+vkHur/ljTtC1s3mOaQ=; h=From:To:Cc:Subject:Date:Message-Id; b=dhEEY4OhNp6WX311/1qzRSVcN+r145i0vrg4u57RdrlrUXSnpSgdtqEwJ/+TPcT5SftlAvYllR+pzzqPIi5xHZY9Bw7njuG/4fwy9q49/PEYKiVP0ayeyz9TgghfMoXtdaDFkcJ8LJ3arAuwMMGSmLQtuWoxkwNRRxJBi5w7bUg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=baidu.com; spf=pass smtp.mailfrom=baidu.com; arc=none smtp.client-ip=180.101.52.76 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=baidu.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=baidu.com Received: from localhost (bjhw-sys-rpm015653cc5.bjhw.baidu.com [10.227.53.39]) by njjs-sys-mailin01.njjs.baidu.com (Postfix) with ESMTP id C79747F00058; Mon, 27 May 2024 14:19:21 +0800 (CST) From: Li RongQing To: fenghua.yu@intel.com, dave.jiang@intel.com, vkoul@kernel.org, dmaengine@vger.kernel.org Cc: Li RongQing Subject: [PATCH][RFC] dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list Date: Mon, 27 May 2024 14:19:20 +0800 Message-Id: <20240527061920.48626-1-lirongqing@baidu.com> X-Mailer: git-send-email 2.9.4 Precedence: bulk X-Mailing-List: dmaengine@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: I think when the description is freed, it maybe used again because of race, then it's next maybe pointer a value that should not be freed To prevent this, list_for_each_entry_safe should be used. Signed-off-by: Li RongQing --- drivers/dma/idxd/irq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/idxd/irq.c b/drivers/dma/idxd/irq.c index 8dc029c..0c7fed7 100644 --- a/drivers/dma/idxd/irq.c +++ b/drivers/dma/idxd/irq.c @@ -611,7 +611,7 @@ static void irq_process_work_list(struct idxd_irq_entry *irq_entry) spin_unlock(&irq_entry->list_lock); - list_for_each_entry(desc, &flist, list) { + list_for_each_entry_safe(desc, n, &flist, list) { /* * Check against the original status as ABORT is software defined * and 0xff, which DSA_COMP_STATUS_MASK can mask out.