padata: Fix list iterator in padata_do_serial()

[ Upstream commit 57ddfecc72a6c9941d159543e1c0c0a74fe9afdd ]

list_for_each_entry_reverse() assumes that the iterated list is nonempty
and that every list_head is embedded in the same type, but its use in
padata_do_serial() breaks both rules.

This doesn't cause any issues now because padata_priv and padata_list
happen to have their list fields at the same offset, but we really
shouldn't be relying on that.

Fixes: bfde23ce200e ("padata: unbind parallel jobs from specific CPUs")
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/kernel/padata.c b/kernel/padata.c
index 97f51e0..de90af5 100644 (file)
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -390,13 +390,16 @@ void padata_do_serial(struct padata_priv *padata)
        int hashed_cpu = padata_cpu_hash(pd, padata->seq_nr);
        struct padata_list *reorder = per_cpu_ptr(pd->reorder_list, hashed_cpu);
        struct padata_priv *cur;
+       struct list_head *pos;
 
        spin_lock(&reorder->lock);
        /* Sort in ascending order of sequence number. */
-       list_for_each_entry_reverse(cur, &reorder->list, list)
+       list_for_each_prev(pos, &reorder->list) {
+               cur = list_entry(pos, struct padata_priv, list);
                if (cur->seq_nr < padata->seq_nr)
                        break;
-       list_add(&padata->list, &cur->list);
+       }
+       list_add(&padata->list, pos);
        spin_unlock(&reorder->lock);
 
        /*