| Message ID | 20240603012444.11902-1-lirongqing@baidu.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | e3215deca4520773cd2b155bed164c12365149a7 |
| Headers | show |
| Series | [v4] dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list | expand |
On 6/2/24 18:24, Li RongQing wrote: > Use list_for_each_entry_safe() to allow iterating through the list and > deleting the entry in the iteration process. The descriptor is freed via > idxd_desc_complete() and there's a slight chance may cause issue for > the list iterator when the descriptor is reused by another thread > without it being deleted from the list. > > Fixes: 16e19e11228b ("dmaengine: idxd: Fix list corruption in description completion") > Signed-off-by: Li RongQing <lirongqing@baidu.com> > Reviewed-by: Dave Jiang <dave.jiang@intel.com> Reviewed-by: Fenghua Yu <fenghua.yu@intel.com> Thanks. -Fenghua
On Mon, 03 Jun 2024 09:24:44 +0800, Li RongQing wrote: > Use list_for_each_entry_safe() to allow iterating through the list and > deleting the entry in the iteration process. The descriptor is freed via > idxd_desc_complete() and there's a slight chance may cause issue for > the list iterator when the descriptor is reused by another thread > without it being deleted from the list. > > > [...] Applied, thanks! [1/1] dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list commit: e3215deca4520773cd2b155bed164c12365149a7 Best regards,
diff --git a/drivers/dma/idxd/irq.c b/drivers/dma/idxd/irq.c index 8dc029c..fc049c9 100644 --- a/drivers/dma/idxd/irq.c +++ b/drivers/dma/idxd/irq.c @@ -611,11 +611,13 @@ static void irq_process_work_list(struct idxd_irq_entry *irq_entry) spin_unlock(&irq_entry->list_lock); - list_for_each_entry(desc, &flist, list) { + list_for_each_entry_safe(desc, n, &flist, list) { /* * Check against the original status as ABORT is software defined * and 0xff, which DSA_COMP_STATUS_MASK can mask out. */ + list_del(&desc->list); + if (unlikely(desc->completion->status == IDXD_COMP_DESC_ABORT)) { idxd_desc_complete(desc, IDXD_COMPLETE_ABORT, true); continue;
Use list_for_each_entry_safe() to allow iterating through the list and deleting the entry in the iteration process. The descriptor is freed via idxd_desc_complete() and there's a slight chance may cause issue for the list iterator when the descriptor is reused by another thread without it being deleted from the list. Fixes: 16e19e11228b ("dmaengine: idxd: Fix list corruption in description completion") Signed-off-by: Li RongQing <lirongqing@baidu.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> --- drivers/dma/idxd/irq.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)