diff mbox series

powerpc/64s: Fix VAS mm use after free

Message ID 20230607101024.14559-1-npiggin@gmail.com (mailing list archive)
State Accepted
Commit b4bda59b47879cce38a6ec5a01cd3cac702b5331
Headers show
Series powerpc/64s: Fix VAS mm use after free | expand

Checks

Context Check Description
snowpatch_ozlabs/github-powerpc_selftests success Successfully ran 8 jobs.
snowpatch_ozlabs/github-powerpc_ppctests success Successfully ran 8 jobs.
snowpatch_ozlabs/github-powerpc_sparse success Successfully ran 4 jobs.
snowpatch_ozlabs/github-powerpc_clang success Successfully ran 6 jobs.
snowpatch_ozlabs/github-powerpc_kernel_qemu success Successfully ran 24 jobs.

Commit Message

Nicholas Piggin June 7, 2023, 10:10 a.m. UTC 
The refcount on mm is dropped before the coprocessor is detached.

Reported-by: Sachin Sant <sachinp@linux.ibm.com>
Fixes: 7bc6f71bdff5f ("powerpc/vas: Define and use common vas_window struct")
Fixes: b22f2d88e435c ("powerpc/pseries/vas: Integrate API with open/close windows")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---
How's this for fixing your vas_deallocate_window warning at
radix_tlb.c:991 ?

I added a few new warnings in the TLB flush code recently which is
why these new warns are showing up.

Thanks,
Nick

 arch/powerpc/platforms/powernv/vas-window.c | 2 +-
 arch/powerpc/platforms/pseries/vas.c        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Sachin Sant June 7, 2023, 10:42 a.m. UTC | #1 
> On 07-Jun-2023, at 3:40 PM, Nicholas Piggin <npiggin@gmail.com> wrote:
> 
> The refcount on mm is dropped before the coprocessor is detached.
> 
> Reported-by: Sachin Sant <sachinp@linux.ibm.com>
> Fixes: 7bc6f71bdff5f ("powerpc/vas: Define and use common vas_window struct")
> Fixes: b22f2d88e435c ("powerpc/pseries/vas: Integrate API with open/close windows")
> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
> ---
> How's this for fixing your vas_deallocate_window warning at
> radix_tlb.c:991 ?
> 
> I added a few new warnings in the TLB flush code recently which is
> why these new warns are showing up.
> 

Thanks Nick. This fixes the reported warning.
Nx-gzip as well as mce error inject tests completed successfully.

Tested-by: Sachin Sant <sachinp@linux.ibm.com>

- Sachin
Michael Ellerman July 3, 2023, 5:26 a.m. UTC | #2 
On Wed, 07 Jun 2023 20:10:24 +1000, Nicholas Piggin wrote:
> The refcount on mm is dropped before the coprocessor is detached.
> 
> 

Applied to powerpc/next.

[1/1] powerpc/64s: Fix VAS mm use after free
      https://git.kernel.org/powerpc/c/b4bda59b47879cce38a6ec5a01cd3cac702b5331

cheers
diff mbox series

Patch

diff --git a/arch/powerpc/platforms/powernv/vas-window.c b/arch/powerpc/platforms/powernv/vas-window.c
index 0072682531d8..b664838008c1 100644
--- a/arch/powerpc/platforms/powernv/vas-window.c
+++ b/arch/powerpc/platforms/powernv/vas-window.c
@@ -1310,8 +1310,8 @@  int vas_win_close(struct vas_window *vwin)
 	/* if send window, drop reference to matching receive window */
 	if (window->tx_win) {
 		if (window->user_win) {
-			put_vas_user_win_ref(&vwin->task_ref);
 			mm_context_remove_vas_window(vwin->task_ref.mm);
+			put_vas_user_win_ref(&vwin->task_ref);
 		}
 		put_rx_win(window->rxwin);
 	}
diff --git a/arch/powerpc/platforms/pseries/vas.c b/arch/powerpc/platforms/pseries/vas.c
index 513180467562..9a44a98ba342 100644
--- a/arch/powerpc/platforms/pseries/vas.c
+++ b/arch/powerpc/platforms/pseries/vas.c
@@ -507,8 +507,8 @@  static int vas_deallocate_window(struct vas_window *vwin)
 	vascaps[win->win_type].nr_open_windows--;
 	mutex_unlock(&vas_pseries_mutex);
 
-	put_vas_user_win_ref(&vwin->task_ref);
 	mm_context_remove_vas_window(vwin->task_ref.mm);
+	put_vas_user_win_ref(&vwin->task_ref);
 
 	kfree(win);
 	return 0;