!13112 fix CVE-2024-49926

	u8				rcu_tasks_idx;

	int				rcu_tasks_idle_cpu;

	struct list_head		rcu_tasks_holdout_list;

	int				rcu_tasks_exit_cpu;

	struct list_head		rcu_tasks_exit_list;

#endif /* #ifdef CONFIG_TASKS_RCU */

#ifdef CONFIG_TASKS_TRACE_RCU

	.rcu_tasks_holdout = false,

	.rcu_tasks_holdout_list = LIST_HEAD_INIT(init_task.rcu_tasks_holdout_list),

	.rcu_tasks_idle_cpu = -1,

	.rcu_tasks_exit_list = LIST_HEAD_INIT(init_task.rcu_tasks_exit_list),

#endif

#ifdef CONFIG_TASKS_TRACE_RCU

	.trc_reader_nesting = 0,

	p->rcu_tasks_holdout = false;

	INIT_LIST_HEAD(&p->rcu_tasks_holdout_list);

	p->rcu_tasks_idle_cpu = -1;

	INIT_LIST_HEAD(&p->rcu_tasks_exit_list);

#endif /* #ifdef CONFIG_TASKS_RCU */

#ifdef CONFIG_TASKS_TRACE_RCU

	p->trc_reader_nesting = 0;

 * @rtp_irq_work: IRQ work queue for deferred wakeups.

 * @barrier_q_head: RCU callback for barrier operation.

 * @rtp_blkd_tasks: List of tasks blocked as readers.

 * @rtp_exit_list: List of tasks in the latter portion of do_exit().

 * @cpu: CPU number corresponding to this entry.

 * @index: Index of this CPU in rtpcp_array of the rcu_tasks structure.

 * @rtpp: Pointer to the rcu_tasks structure.

 */

struct rcu_tasks_percpu {

	struct irq_work rtp_irq_work;

	struct rcu_head barrier_q_head;

	struct list_head rtp_blkd_tasks;

	struct list_head rtp_exit_list;

	int cpu;

	int index;

	struct rcu_tasks *rtpp;

};

 * @postgp_func: This flavor's post-grace-period function (optional).

 * @call_func: This flavor's call_rcu()-equivalent function.

 * @rtpcpu: This flavor's rcu_tasks_percpu structure.

 * @rtpcp_array: Array of pointers to rcu_tasks_percpu structure of CPUs in cpu_possible_mask.

 * @percpu_enqueue_shift: Shift down CPU ID this much when enqueuing callbacks.

 * @percpu_enqueue_lim: Number of per-CPU callback queues in use for enqueuing.

 * @percpu_dequeue_lim: Number of per-CPU callback queues in use for dequeuing.

	postgp_func_t postgp_func;

	call_rcu_func_t call_func;

	struct rcu_tasks_percpu __percpu *rtpcpu;

	struct rcu_tasks_percpu **rtpcp_array;

	int percpu_enqueue_shift;

	int percpu_enqueue_lim;

	int percpu_dequeue_lim;

static int rcu_task_lazy_lim __read_mostly = 32;

module_param(rcu_task_lazy_lim, int, 0444);

static int rcu_task_cpu_ids;

/* RCU tasks grace-period state for debugging. */

#define RTGS_INIT		 0

#define RTGS_WAIT_WAIT_CBS	 1

	unsigned long flags;

	int lim;

	int shift;

	int maxcpu;

	int index = 0;

	if (rcu_task_enqueue_lim < 0) {

		rcu_task_enqueue_lim = 1;

	}

	lim = rcu_task_enqueue_lim;

	if (lim > nr_cpu_ids)

		lim = nr_cpu_ids;

	shift = ilog2(nr_cpu_ids / lim);

	if (((nr_cpu_ids - 1) >> shift) >= lim)

		shift++;

	WRITE_ONCE(rtp->percpu_enqueue_shift, shift);

	WRITE_ONCE(rtp->percpu_dequeue_lim, lim);

	smp_store_release(&rtp->percpu_enqueue_lim, lim);

	rtp->rtpcp_array = kcalloc(num_possible_cpus(), sizeof(struct rcu_tasks_percpu *), GFP_KERNEL);

	BUG_ON(!rtp->rtpcp_array);

	for_each_possible_cpu(cpu) {

		struct rcu_tasks_percpu *rtpcp = per_cpu_ptr(rtp->rtpcpu, cpu);

		INIT_WORK(&rtpcp->rtp_work, rcu_tasks_invoke_cbs_wq);

		rtpcp->cpu = cpu;

		rtpcp->rtpp = rtp;

		rtpcp->index = index;

		rtp->rtpcp_array[index] = rtpcp;

		index++;

		if (!rtpcp->rtp_blkd_tasks.next)

			INIT_LIST_HEAD(&rtpcp->rtp_blkd_tasks);

		if (!rtpcp->rtp_exit_list.next)

			INIT_LIST_HEAD(&rtpcp->rtp_exit_list);

		maxcpu = cpu;

	}

	pr_info("%s: Setting shift to %d and lim to %d rcu_task_cb_adjust=%d.\n", rtp->name,

			data_race(rtp->percpu_enqueue_shift), data_race(rtp->percpu_enqueue_lim), rcu_task_cb_adjust);

	rcu_task_cpu_ids = maxcpu + 1;

	if (lim > rcu_task_cpu_ids)

		lim = rcu_task_cpu_ids;

	shift = ilog2(rcu_task_cpu_ids / lim);

	if (((rcu_task_cpu_ids - 1) >> shift) >= lim)

		shift++;

	WRITE_ONCE(rtp->percpu_enqueue_shift, shift);

	WRITE_ONCE(rtp->percpu_dequeue_lim, lim);

	smp_store_release(&rtp->percpu_enqueue_lim, lim);

	pr_info("%s: Setting shift to %d and lim to %d rcu_task_cb_adjust=%d rcu_task_cpu_ids=%d.\n",

			rtp->name, data_race(rtp->percpu_enqueue_shift), data_race(rtp->percpu_enqueue_lim),

			rcu_task_cb_adjust, rcu_task_cpu_ids);

}

// Compute wakeup time for lazy callback timer.

			rtpcp->rtp_n_lock_retries = 0;

		}

		if (rcu_task_cb_adjust && ++rtpcp->rtp_n_lock_retries > rcu_task_contend_lim &&

		    READ_ONCE(rtp->percpu_enqueue_lim) != nr_cpu_ids)

		    READ_ONCE(rtp->percpu_enqueue_lim) != rcu_task_cpu_ids)

			needadjust = true;  // Defer adjustment to avoid deadlock.

	}

	// Queuing callbacks before initialization not yet supported.

	raw_spin_unlock_irqrestore_rcu_node(rtpcp, flags);

	if (unlikely(needadjust)) {

		raw_spin_lock_irqsave(&rtp->cbs_gbl_lock, flags);

		if (rtp->percpu_enqueue_lim != nr_cpu_ids) {

		if (rtp->percpu_enqueue_lim != rcu_task_cpu_ids) {

			WRITE_ONCE(rtp->percpu_enqueue_shift, 0);

			WRITE_ONCE(rtp->percpu_dequeue_lim, nr_cpu_ids);

			smp_store_release(&rtp->percpu_enqueue_lim, nr_cpu_ids);

			WRITE_ONCE(rtp->percpu_dequeue_lim, rcu_task_cpu_ids);

			smp_store_release(&rtp->percpu_enqueue_lim, rcu_task_cpu_ids);

			pr_info("Switching %s to per-CPU callback queuing.\n", rtp->name);

		}

		raw_spin_unlock_irqrestore(&rtp->cbs_gbl_lock, flags);

static int rcu_tasks_need_gpcb(struct rcu_tasks *rtp)

{

	int cpu;

	int dequeue_limit;

	unsigned long flags;

	bool gpdone = poll_state_synchronize_rcu(rtp->percpu_dequeue_gpseq);

	long n;

	long ncbsnz = 0;

	int needgpcb = 0;

	for (cpu = 0; cpu < smp_load_acquire(&rtp->percpu_dequeue_lim); cpu++) {

	dequeue_limit = smp_load_acquire(&rtp->percpu_dequeue_lim);

	for (cpu = 0; cpu < dequeue_limit; cpu++) {

		if (!cpu_possible(cpu))

			continue;

		struct rcu_tasks_percpu *rtpcp = per_cpu_ptr(rtp->rtpcpu, cpu);

		/* Advance and accelerate any new callbacks. */

	if (rcu_task_cb_adjust && ncbs <= rcu_task_collapse_lim) {

		raw_spin_lock_irqsave(&rtp->cbs_gbl_lock, flags);

		if (rtp->percpu_enqueue_lim > 1) {

			WRITE_ONCE(rtp->percpu_enqueue_shift, order_base_2(nr_cpu_ids));

			WRITE_ONCE(rtp->percpu_enqueue_shift, order_base_2(rcu_task_cpu_ids));

			smp_store_release(&rtp->percpu_enqueue_lim, 1);

			rtp->percpu_dequeue_gpseq = get_state_synchronize_rcu();

			gpdone = false;

			pr_info("Completing switch %s to CPU-0 callback queuing.\n", rtp->name);

		}

		if (rtp->percpu_dequeue_lim == 1) {

			for (cpu = rtp->percpu_dequeue_lim; cpu < nr_cpu_ids; cpu++) {

			for (cpu = rtp->percpu_dequeue_lim; cpu < rcu_task_cpu_ids; cpu++) {

				if (!cpu_possible(cpu))

					continue;

				struct rcu_tasks_percpu *rtpcp = per_cpu_ptr(rtp->rtpcpu, cpu);

				WARN_ON_ONCE(rcu_segcblist_n_cbs(&rtpcp->cblist));

// Advance callbacks and invoke any that are ready.

static void rcu_tasks_invoke_cbs(struct rcu_tasks *rtp, struct rcu_tasks_percpu *rtpcp)

{

	int cpu;

	int cpunext;

	int cpuwq;

	unsigned long flags;

	int len;

	int index;

	struct rcu_head *rhp;

	struct rcu_cblist rcl = RCU_CBLIST_INITIALIZER(rcl);

	struct rcu_tasks_percpu *rtpcp_next;

	cpu = rtpcp->cpu;

	cpunext = cpu * 2 + 1;

	if (cpunext < smp_load_acquire(&rtp->percpu_dequeue_lim)) {

		rtpcp_next = per_cpu_ptr(rtp->rtpcpu, cpunext);

		cpuwq = rcu_cpu_beenfullyonline(cpunext) ? cpunext : WORK_CPU_UNBOUND;

	index = rtpcp->index * 2 + 1;

	if (index < num_possible_cpus()) {

		rtpcp_next = rtp->rtpcp_array[index];

		if (rtpcp_next->cpu < smp_load_acquire(&rtp->percpu_dequeue_lim)) {

			cpuwq = rcu_cpu_beenfullyonline(rtpcp_next->cpu) ? rtpcp_next->cpu : WORK_CPU_UNBOUND;

			queue_work_on(cpuwq, system_wq, &rtpcp_next->rtp_work);

		cpunext++;

		if (cpunext < smp_load_acquire(&rtp->percpu_dequeue_lim)) {

			rtpcp_next = per_cpu_ptr(rtp->rtpcpu, cpunext);

			cpuwq = rcu_cpu_beenfullyonline(cpunext) ? cpunext : WORK_CPU_UNBOUND;

			index++;

			if (index < num_possible_cpus()) {

				rtpcp_next = rtp->rtpcp_array[index];

				if (rtpcp_next->cpu < smp_load_acquire(&rtp->percpu_dequeue_lim)) {

					cpuwq = rcu_cpu_beenfullyonline(rtpcp_next->cpu) ? rtpcp_next->cpu : WORK_CPU_UNBOUND;

					queue_work_on(cpuwq, system_wq, &rtpcp_next->rtp_work);

				}

			}

		}

	}

	if (rcu_segcblist_empty(&rtpcp->cblist) || !cpu_possible(cpu))

	if (rcu_segcblist_empty(&rtpcp->cblist))

		return;

	raw_spin_lock_irqsave_rcu_node(rtpcp, flags);

	rcu_segcblist_advance(&rtpcp->cblist, rcu_seq_current(&rtp->tasks_gp_seq));