Message ID | 20230607101024.14559-1-npiggin@gmail.com (mailing list archive) |
---|---|
State | Accepted |
Commit | b4bda59b47879cce38a6ec5a01cd3cac702b5331 |
Headers | show |
Series | powerpc/64s: Fix VAS mm use after free | expand |
Context | Check | Description |
---|---|---|
snowpatch_ozlabs/github-powerpc_selftests | success | Successfully ran 8 jobs. |
snowpatch_ozlabs/github-powerpc_ppctests | success | Successfully ran 8 jobs. |
snowpatch_ozlabs/github-powerpc_sparse | success | Successfully ran 4 jobs. |
snowpatch_ozlabs/github-powerpc_clang | success | Successfully ran 6 jobs. |
snowpatch_ozlabs/github-powerpc_kernel_qemu | success | Successfully ran 24 jobs. |
> On 07-Jun-2023, at 3:40 PM, Nicholas Piggin <npiggin@gmail.com> wrote: > > The refcount on mm is dropped before the coprocessor is detached. > > Reported-by: Sachin Sant <sachinp@linux.ibm.com> > Fixes: 7bc6f71bdff5f ("powerpc/vas: Define and use common vas_window struct") > Fixes: b22f2d88e435c ("powerpc/pseries/vas: Integrate API with open/close windows") > Signed-off-by: Nicholas Piggin <npiggin@gmail.com> > --- > How's this for fixing your vas_deallocate_window warning at > radix_tlb.c:991 ? > > I added a few new warnings in the TLB flush code recently which is > why these new warns are showing up. > Thanks Nick. This fixes the reported warning. Nx-gzip as well as mce error inject tests completed successfully. Tested-by: Sachin Sant <sachinp@linux.ibm.com> - Sachin
On Wed, 07 Jun 2023 20:10:24 +1000, Nicholas Piggin wrote: > The refcount on mm is dropped before the coprocessor is detached. > > Applied to powerpc/next. [1/1] powerpc/64s: Fix VAS mm use after free https://git.kernel.org/powerpc/c/b4bda59b47879cce38a6ec5a01cd3cac702b5331 cheers
diff --git a/arch/powerpc/platforms/powernv/vas-window.c b/arch/powerpc/platforms/powernv/vas-window.c index 0072682531d8..b664838008c1 100644 --- a/arch/powerpc/platforms/powernv/vas-window.c +++ b/arch/powerpc/platforms/powernv/vas-window.c @@ -1310,8 +1310,8 @@ int vas_win_close(struct vas_window *vwin) /* if send window, drop reference to matching receive window */ if (window->tx_win) { if (window->user_win) { - put_vas_user_win_ref(&vwin->task_ref); mm_context_remove_vas_window(vwin->task_ref.mm); + put_vas_user_win_ref(&vwin->task_ref); } put_rx_win(window->rxwin); } diff --git a/arch/powerpc/platforms/pseries/vas.c b/arch/powerpc/platforms/pseries/vas.c index 513180467562..9a44a98ba342 100644 --- a/arch/powerpc/platforms/pseries/vas.c +++ b/arch/powerpc/platforms/pseries/vas.c @@ -507,8 +507,8 @@ static int vas_deallocate_window(struct vas_window *vwin) vascaps[win->win_type].nr_open_windows--; mutex_unlock(&vas_pseries_mutex); - put_vas_user_win_ref(&vwin->task_ref); mm_context_remove_vas_window(vwin->task_ref.mm); + put_vas_user_win_ref(&vwin->task_ref); kfree(win); return 0;
The refcount on mm is dropped before the coprocessor is detached. Reported-by: Sachin Sant <sachinp@linux.ibm.com> Fixes: 7bc6f71bdff5f ("powerpc/vas: Define and use common vas_window struct") Fixes: b22f2d88e435c ("powerpc/pseries/vas: Integrate API with open/close windows") Signed-off-by: Nicholas Piggin <npiggin@gmail.com> --- How's this for fixing your vas_deallocate_window warning at radix_tlb.c:991 ? I added a few new warnings in the TLB flush code recently which is why these new warns are showing up. Thanks, Nick arch/powerpc/platforms/powernv/vas-window.c | 2 +- arch/powerpc/platforms/pseries/vas.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)