Commit 50e56e12 authored by Chen Ridong's avatar Chen Ridong Committed by Zicheng Qu
Browse files

padata: add pd get/put refcnt helper 

stable inclusion
from stable-v6.6.76
commit b5981c99467121792a70a3dd2eddf84cb3fafa08
category: other
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPBHS
CVE: CVE-2025-21727

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b5981c99467121792a70a3dd2eddf84cb3fafa08



--------------------------------

[ Upstream commit ae154202cc6a189b035359f3c4e143d5c24d5352 ]

Add helpers for pd to get/put refcnt to make code consice.

Signed-off-by: default avatarChen Ridong <chenridong@huawei.com>
Acked-by: default avatarDaniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: dd7d37ccf6b1 ("padata: avoid UAF for reorder_work")
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarZicheng Qu <quzicheng@huawei.com>
parent 8c45ad1b

kernel/padata.c

+20 −7
Original line number Diff line number Diff line
@@ -60,6 +60,22 @@ struct padata_mt_job_state { 
static void padata_free_pd(struct parallel_data *pd);

static void __init padata_mt_helper(struct work_struct *work);



static inline void padata_get_pd(struct parallel_data *pd)

{

	refcount_inc(&pd->refcnt);

}



static inline void padata_put_pd_cnt(struct parallel_data *pd, int cnt)

{

	if (refcount_sub_and_test(cnt, &pd->refcnt))

		padata_free_pd(pd);

}



static inline void padata_put_pd(struct parallel_data *pd)

{

	padata_put_pd_cnt(pd, 1);

}



static int padata_index_to_cpu(struct parallel_data *pd, int cpu_index)

{

	int cpu, target_cpu;
@@ -211,7 +227,7 @@ int padata_do_parallel(struct padata_shell *ps, 
	if ((pinst->flags & PADATA_RESET))

		goto out;



	refcount_inc(&pd->refcnt);

	padata_get_pd(pd);

	padata->pd = pd;

	padata->cb_cpu = *cb_cpu;
@@ -385,8 +401,7 @@ static void padata_serial_worker(struct work_struct *serial_work) 
	}

	local_bh_enable();



	if (refcount_sub_and_test(cnt, &pd->refcnt))

		padata_free_pd(pd);

	padata_put_pd_cnt(pd, cnt);

}



/**
@@ -680,8 +695,7 @@ static int padata_replace(struct padata_instance *pinst) 
	synchronize_rcu();



	list_for_each_entry_continue_reverse(ps, &pinst->pslist, list)

		if (refcount_dec_and_test(&ps->opd->refcnt))

			padata_free_pd(ps->opd);

		padata_put_pd(ps->opd);



	pinst->flags &= ~PADATA_RESET;
@@ -1123,8 +1137,7 @@ void padata_free_shell(struct padata_shell *ps) 
	mutex_lock(&ps->pinst->lock);

	list_del(&ps->list);

	pd = rcu_dereference_protected(ps->pd, 1);

	if (refcount_dec_and_test(&pd->refcnt))

		padata_free_pd(pd);

	padata_put_pd(pd);

	mutex_unlock(&ps->pinst->lock);



	kfree(ps);