dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list

dvdgomez · dvdgomez · commit 0fcfced12671 · 2025-06-06T08:22:00.000-07:00
jira VULN-8254 cve CVE-2024-40956 commit-author Li RongQing <lirongqing@baidu.com> commit e3215de Use list_for_each_entry_safe() to allow iterating through the list and deleting the entry in the iteration process. The descriptor is freed via idxd_desc_complete() and there's a slight chance may cause issue for the list iterator when the descriptor is reused by another thread without it being deleted from the list. Fixes: 16e19e1 ("dmaengine: idxd: Fix list corruption in description completion") Signed-off-by: Li RongQing <lirongqing@baidu.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Reviewed-by: Fenghua Yu <fenghua.yu@intel.com> Link: https://lore.kernel.org/r/20240603012444.11902-1-lirongqing@baidu.com Signed-off-by: Vinod Koul <vkoul@kernel.org> (cherry picked from commit e3215de) Signed-off-by: David Gomez <dgomez@ciq.com>
diff --git a/drivers/dma/idxd/irq.c b/drivers/dma/idxd/irq.c
@@ -460,11 +460,13 @@ static void irq_process_work_list(struct idxd_irq_entry *irq_entry)
 
 	spin_unlock(&irq_entry->list_lock);
 
-	list_for_each_entry(desc, &flist, list) {
+	list_for_each_entry_safe(desc, n, &flist, list) {
 		/*
 		 * Check against the original status as ABORT is software defined
 		 * and 0xff, which DSA_COMP_STATUS_MASK can mask out.
 		 */
+		list_del(&desc->list);
+
 		if (unlikely(desc->completion->status == IDXD_COMP_DESC_ABORT)) {
 			idxd_dma_complete_txd(desc, IDXD_COMPLETE_ABORT, true);
 			continue;
