kernel/padata.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
When submitting more than 2^32 padata objects to padata_do_serial, the
current sorting implementation incorrectly sorts padata objects with
overflowed seq_nr, causing them to be placed before existing objects in
the reorder list. This leads to a deadlock in the serialization process
as padata_find_next cannot match padata->seq_nr and pd->processed
because the padata instance with overflowed seq_nr will be selected
next.
To fix this, we use an unsigned integer wrap around to correctly sort
padata objects in scenarios with integer overflow.
Co-developed-by: Christian Gafert <christian.gafert@rohde-schwarz.com>
Signed-off-by: Christian Gafert <christian.gafert@rohde-schwarz.com>
Co-developed-by: Max Ferger <max.ferger@rohde-schwarz.com>
Signed-off-by: Max Ferger <max.ferger@rohde-schwarz.com>
Signed-off-by: Van Giang Nguyen <vangiang.nguyen@rohde-schwarz.com>
---
kernel/padata.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/padata.c b/kernel/padata.c
index 53f4bc912712..222bccd0c96b 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -404,7 +404,8 @@ void padata_do_serial(struct padata_priv *padata)
/* Sort in ascending order of sequence number. */
list_for_each_prev(pos, &reorder->list) {
cur = list_entry(pos, struct padata_priv, list);
- if (cur->seq_nr < padata->seq_nr)
+ /* Compare by difference to consider integer wrap around */
+ if ((signed int)(cur->seq_nr - padata->seq_nr) < 0)
break;
}
list_add(&padata->list, pos);
--
2.34.1VanGiang Nguyen <vangiang.nguyen@rohde-schwarz.com> wrote: > When submitting more than 2^32 padata objects to padata_do_serial, the > current sorting implementation incorrectly sorts padata objects with > overflowed seq_nr, causing them to be placed before existing objects in > the reorder list. This leads to a deadlock in the serialization process > as padata_find_next cannot match padata->seq_nr and pd->processed > because the padata instance with overflowed seq_nr will be selected > next. > > To fix this, we use an unsigned integer wrap around to correctly sort > padata objects in scenarios with integer overflow. > > Co-developed-by: Christian Gafert <christian.gafert@rohde-schwarz.com> > Signed-off-by: Christian Gafert <christian.gafert@rohde-schwarz.com> > Co-developed-by: Max Ferger <max.ferger@rohde-schwarz.com> > Signed-off-by: Max Ferger <max.ferger@rohde-schwarz.com> > Signed-off-by: Van Giang Nguyen <vangiang.nguyen@rohde-schwarz.com> > --- > kernel/padata.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) Patch applied. Thanks. -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Hello Van Giang,
On Fri, Aug 09, 2024 at 06:21:42AM GMT, VanGiang Nguyen wrote:
> When submitting more than 2^32 padata objects to padata_do_serial, the
> current sorting implementation incorrectly sorts padata objects with
> overflowed seq_nr, causing them to be placed before existing objects in
> the reorder list. This leads to a deadlock in the serialization process
> as padata_find_next cannot match padata->seq_nr and pd->processed
> because the padata instance with overflowed seq_nr will be selected
> next.
>
> To fix this, we use an unsigned integer wrap around to correctly sort
> padata objects in scenarios with integer overflow.
>
Could use a Fixes tag like this one:
Fixes: bfde23ce200e ("padata: unbind parallel jobs from specific CPUs")
Otherwise looks good, thanks.
Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>
> Co-developed-by: Christian Gafert <christian.gafert@rohde-schwarz.com>
> Signed-off-by: Christian Gafert <christian.gafert@rohde-schwarz.com>
> Co-developed-by: Max Ferger <max.ferger@rohde-schwarz.com>
> Signed-off-by: Max Ferger <max.ferger@rohde-schwarz.com>
> Signed-off-by: Van Giang Nguyen <vangiang.nguyen@rohde-schwarz.com>
> ---
> kernel/padata.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/padata.c b/kernel/padata.c
> index 53f4bc912712..222bccd0c96b 100644
> --- a/kernel/padata.c
> +++ b/kernel/padata.c
> @@ -404,7 +404,8 @@ void padata_do_serial(struct padata_priv *padata)
> /* Sort in ascending order of sequence number. */
> list_for_each_prev(pos, &reorder->list) {
> cur = list_entry(pos, struct padata_priv, list);
> - if (cur->seq_nr < padata->seq_nr)
> + /* Compare by difference to consider integer wrap around */
> + if ((signed int)(cur->seq_nr - padata->seq_nr) < 0)
> break;
> }
> list_add(&padata->list, pos);
> --
> 2.34.1
>
When submitting more than 2^32 padata objects to padata_do_serial, the
current sorting implementation incorrectly sorts padata objects with
overflowed seq_nr, causing them to be placed before existing objects in
the reorder list. This leads to a deadlock in the serialization process
as padata_find_next cannot match padata->seq_nr and pd->processed
because the padata instance with overflowed seq_nr will be selected
next.
To fix this, we use an unsigned integer wrap around to correctly sort
padata objects in scenarios with integer overflow.
Fixes: bfde23ce200e ("padata: unbind parallel jobs from specific CPUs")
Co-developed-by: Christian Gafert <christian.gafert@rohde-schwarz.com>
Signed-off-by: Christian Gafert <christian.gafert@rohde-schwarz.com>
Co-developed-by: Max Ferger <max.ferger@rohde-schwarz.com>
Signed-off-by: Max Ferger <max.ferger@rohde-schwarz.com>
Signed-off-by: Van Giang Nguyen <vangiang.nguyen@rohde-schwarz.com>
Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>
---
v2: include Fixes tag and Daniel's Acked-by tag
v1: https://lore.kernel.org/a16995232eda4d39812f4bd94d9fb846@rohde-schwarz.com
kernel/padata.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/padata.c b/kernel/padata.c
index 53f4bc912712..222bccd0c96b 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -404,7 +404,8 @@ void padata_do_serial(struct padata_priv *padata)
/* Sort in ascending order of sequence number. */
list_for_each_prev(pos, &reorder->list) {
cur = list_entry(pos, struct padata_priv, list);
- if (cur->seq_nr < padata->seq_nr)
+ /* Compare by difference to consider integer wrap around */
+ if ((signed int)(cur->seq_nr - padata->seq_nr) < 0)
break;
}
list_add(&padata->list, pos);
--
2.34.1© 2016 - 2026 Red Hat, Inc.