Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2295874imm; Thu, 7 Jun 2018 08:20:56 -0700 (PDT) X-Google-Smtp-Source: ADUXVKL3qTTPtsg5M8mCQnkyj1vg8zeYHor0YP8S/3qlDBk+IHkZD0j+YJhWy4k1I6/enuMM4QN6 X-Received: by 2002:a17:902:7089:: with SMTP id z9-v6mr2428460plk.231.1528384856337; Thu, 07 Jun 2018 08:20:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528384856; cv=none; d=google.com; s=arc-20160816; b=yyinFqUpn61unB5mNfxhNjNC20cyjrRa5UzLnDXlLaR1tQw+5QQzxZan0Gtoz9KWhI 3AQhgJZVbXR7mKZu+i4UVMwKZ8xOHvjDRdYkcf1q0ImdEIHsDl1IJQcjAaHiPS5HqpQN INjF6BAzLsiWd1xHWYe1TZxqI7+m3Bzhn9NT1rkq1BXQL2TMUwYJk3wxds3AqpCsYG1/ 4G7jygIQ3psXIv2bSCJ0ZOCBkid683J+GWyXOVbYpXYW9xUIJDypesmpPHWn9JFiCq0C sfL/8lL029nZPAEVMnVMmBA3FqlkP3w/6pmR2AiUCtgILHvr6C0SfHm74c1Z3jbC/BI9 4Svg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=Y6VicXFgXDMvUTVmt4JcZQhDfqCvXLDz16HLSokhLIs=; b=dGf/XWR7ceMBFLNSPx8ekFDA4VKcaGR7nUEy0BDI2lBNoGMb0rAmkPCKEfecbwK5AB Tp1a79T5e5mo98wZbK/3usPVbSPozHlzIdUClqdZhw2odbBlwBOXVuY0ec4KFAsSBz+z 79GTHWf33iMuS62o61zlfBffO3F/PbS7NpP4zjJR/PjjtHc5RBpEQxayr4zIXSIV7YCL 34YYzzr/4TrHVNV0VWOR2RWGZdM5fnE4ErPvhx1xzG+HYg+6OT4IbuZmUcwYk02KLX08 s0vZCPE6JjU0J4r97H0g8CWWEPCG1hyMuWhgRWsTdJii4ujfTU3ICb7WelKdkZ12iEk3 tjgQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p9-v6si39099936plo.208.2018.06.07.08.20.41; Thu, 07 Jun 2018 08:20:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S936038AbeFGPSh (ORCPT + 99 others); Thu, 7 Jun 2018 11:18:37 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:41285 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935690AbeFGO7b (ORCPT ); Thu, 7 Jun 2018 10:59:31 -0400 Received: from [148.252.241.226] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1fQvbh-0005Zs-7U; Thu, 07 Jun 2018 15:09:41 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1fQvb5-0002zJ-Q4; Thu, 07 Jun 2018 15:09:03 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Tejun Heo" , "Arjan van de Ven" , "Linus Torvalds" , "Adam Wallis" , "Rasmus Villemoes" , "Lai Jiangshan" Date: Thu, 07 Jun 2018 15:05:21 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 198/410] kernel/async.c: revert "async: simplify lowest_in_progress()" In-Reply-To: X-SA-Exim-Connect-IP: 148.252.241.226 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.57-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Rasmus Villemoes commit 4f7e988e63e336827f4150de48163bed05d653bd upstream. This reverts commit 92266d6ef60c ("async: simplify lowest_in_progress()") which was simply wrong: In the case where domain is NULL, we now use the wrong offsetof() in the list_first_entry macro, so we don't actually fetch the ->cookie value, but rather the eight bytes located sizeof(struct list_head) further into the struct async_entry. On 64 bit, that's the data member, while on 32 bit, that's a u64 built from func and data in some order. I think the bug happens to be harmless in practice: It obviously only affects callers which pass a NULL domain, and AFAICT the only such caller is async_synchronize_full() -> async_synchronize_full_domain(NULL) -> async_synchronize_cookie_domain(ASYNC_COOKIE_MAX, NULL) and the ASYNC_COOKIE_MAX means that in practice we end up waiting for the async_global_pending list to be empty - but it would break if somebody happened to pass (void*)-1 as the data element to async_schedule, and of course also if somebody ever does a async_synchronize_cookie_domain(, NULL) with a "finite" cookie value. Maybe the "harmless in practice" means this isn't -stable material. But I'm not completely confident my quick git grep'ing is enough, and there might be affected code in one of the earlier kernels that has since been removed, so I'll leave the decision to the stable guys. Link: http://lkml.kernel.org/r/20171128104938.3921-1-linux@rasmusvillemoes.dk Fixes: 92266d6ef60c "async: simplify lowest_in_progress()" Signed-off-by: Rasmus Villemoes Acked-by: Tejun Heo Cc: Arjan van de Ven Cc: Adam Wallis Cc: Lai Jiangshan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings --- kernel/async.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) --- a/kernel/async.c +++ b/kernel/async.c @@ -84,20 +84,24 @@ static atomic_t entry_count; static async_cookie_t lowest_in_progress(struct async_domain *domain) { - struct list_head *pending; + struct async_entry *first = NULL; async_cookie_t ret = ASYNC_COOKIE_MAX; unsigned long flags; spin_lock_irqsave(&async_lock, flags); - if (domain) - pending = &domain->pending; - else - pending = &async_global_pending; + if (domain) { + if (!list_empty(&domain->pending)) + first = list_first_entry(&domain->pending, + struct async_entry, domain_list); + } else { + if (!list_empty(&async_global_pending)) + first = list_first_entry(&async_global_pending, + struct async_entry, global_list); + } - if (!list_empty(pending)) - ret = list_first_entry(pending, struct async_entry, - domain_list)->cookie; + if (first) + ret = first->cookie; spin_unlock_irqrestore(&async_lock, flags); return ret;