Skip to content

Commit 351b450

Browse files
emmilemmil
committed
Merge: CVE-2024-47739: padata: use integer wrap around to prevent deadlock on seq_nr overflow
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/5722 JIRA: https://issues.redhat.com/browse/RHEL-63240 CVE: CVE-2024-47739 commit 9a22b28 Author: VanGiang Nguyen <vangiang.nguyen@rohde-schwarz.com> Date: Fri Aug 9 06:21:42 2024 +0000 padata: use integer wrap around to prevent deadlock on seq_nr overflow When submitting more than 2^32 padata objects to padata_do_serial, the current sorting implementation incorrectly sorts padata objects with overflowed seq_nr, causing them to be placed before existing objects in the reorder list. This leads to a deadlock in the serialization process as padata_find_next cannot match padata->seq_nr and pd->processed because the padata instance with overflowed seq_nr will be selected next. To fix this, we use an unsigned integer wrap around to correctly sort padata objects in scenarios with integer overflow. Fixes: bfde23c ("padata: unbind parallel jobs from specific CPUs") Cc: <stable@vger.kernel.org> Co-developed-by: Christian Gafert <christian.gafert@rohde-schwarz.com> Signed-off-by: Christian Gafert <christian.gafert@rohde-schwarz.com> Co-developed-by: Max Ferger <max.ferger@rohde-schwarz.com> Signed-off-by: Max Ferger <max.ferger@rohde-schwarz.com> Signed-off-by: Van Giang Nguyen <vangiang.nguyen@rohde-schwarz.com> Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Radostin Stoyanov <radostin@redhat.com> Approved-by: Chris von Recklinghausen <crecklin@redhat.com> Approved-by: Rafael Aquini <raquini@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: Rado Vrbovsky <rvrbovsk@redhat.com>
2 parents 16b8921 + 372577e commit 351b450

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

kernel/padata.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -404,7 +404,8 @@ void padata_do_serial(struct padata_priv *padata)
404404
/* Sort in ascending order of sequence number. */
405405
list_for_each_prev(pos, &reorder->list) {
406406
cur = list_entry(pos, struct padata_priv, list);
407-
if (cur->seq_nr < padata->seq_nr)
407+
/* Compare by difference to consider integer wrap around */
408+
if ((signed int)(cur->seq_nr - padata->seq_nr) < 0)
408409
break;
409410
}
410411
list_add(&padata->list, pos);

0 commit comments

Comments
 (0)