!5175 arm64/mpam: Fix use-after-free when deleting resource groups

	return closid.intpartid;

}

/**

 * rdtgroup_remove - the helper to remove resource group safely

 * @rdtgrp: resource group to remove

 *

 * On resource group creation via a mkdir, an extra kernfs_node reference is

 * taken to ensure that the rdtgroup structure remains accessible for the

 * rdtgroup_kn_unlock() calls where it is removed.

 *

 * Drop the extra reference here, then free the rdtgroup structure.

 *

 * Return: void

 */

static inline void rdtgroup_remove(struct rdtgroup *rdtgrp)

{

	kernfs_put(rdtgrp->kn);

	kfree(rdtgrp);

}

#endif

#endif /* _ASM_ARM64_RESCTRL_H */

	if (IS_ERR(kn_subdir))

		return PTR_ERR(kn_subdir);

	kernfs_get(kn_subdir);

	ret = resctrl_group_kn_set_ugid(kn_subdir);

	if (ret)

		return ret;

	*kn_info = kernfs_create_dir(parent_kn, "info", parent_kn->mode, NULL);

	if (IS_ERR(*kn_info))

		return PTR_ERR(*kn_info);

	kernfs_get(*kn_info);

	ret = resctrl_group_add_files(*kn_info, RF_TOP_INFO);

	if (ret)

		}

	}

	/*

	 m This extra ref will be put in kernfs_remove() and guarantees

	 * that @rdtgrp->kn is always accessible.

	 */

	kernfs_get(*kn_info);

	ret = resctrl_group_kn_set_ugid(*kn_info);

	if (ret)

		goto out_destroy;

	    (rdtgrp->flags & RDT_DELETED)) {

		current->closid = 0;

		current->rmid = 0;

		kfree(rdtgrp);

		rdtgroup_remove(rdtgrp);

	}

	preempt_disable();

	if (atomic_dec_and_test(&rdtgrp->waitcount) &&

	    (rdtgrp->flags & RDT_DELETED)) {

		kernfs_unbreak_active_protection(kn);

		kernfs_put(rdtgrp->kn);

		kfree(rdtgrp);

		rdtgroup_remove(rdtgrp);

	} else {

		kernfs_unbreak_active_protection(kn);

	}

	if (dest_kn)

		*dest_kn = kn;

	/*

	 * This extra ref will be put in kernfs_remove() and guarantees

	 * that @rdtgrp->kn is always accessible.

	 */

	kernfs_get(kn);

	ret = resctrl_group_kn_set_ugid(kn);

	if (ret)

		goto out_destroy;

			dentry = ERR_PTR(ret);

			goto out_info;

		}

		kernfs_get(kn_mongrp);

		ret = mkdir_mondata_all_prepare(&resctrl_group_default);

		if (ret < 0) {

			dentry = ERR_PTR(ret);

			goto out_mongrp;

		}

		kernfs_get(kn_mondata);

		resctrl_group_default.mon.mon_data_kn = kn_mondata;

	}

		/* rmid may not be used */

		rmid_free(sentry->mon.rmid);

		list_del(&sentry->mon.crdtgrp_list);

		kfree(sentry);

		if (atomic_read(&sentry->waitcount) != 0)

			sentry->flags = RDT_DELETED;

		else

			rdtgroup_remove(sentry);

	}

}

		kernfs_remove(rdtgrp->kn);

		list_del(&rdtgrp->resctrl_group_list);

		kfree(rdtgrp);

		if (atomic_read(&rdtgrp->waitcount) != 0)

			rdtgrp->flags = RDT_DELETED;

		else

			rdtgroup_remove(rdtgrp);

	}

	/* Notify online CPUs to update per cpu storage and PQR_ASSOC MSR */

	update_closid_rmid(cpu_online_mask, &resctrl_group_default);

	 * kernfs_remove() will drop the reference count on "kn" which

	 * will free it. But we still need it to stick around for the

	 * resctrl_group_kn_unlock(kn} call below. Take one extra reference

	 * here, which will be dropped inside resctrl_group_kn_unlock().

	 * here, which will be dropped inside rdtgroup_remove().

	 */

	kernfs_get(kn);

out_prepare_clean:

	mkdir_mondata_all_prepare_clean(rdtgrp);

out_destroy:

	kernfs_put(rdtgrp->kn);

	kernfs_remove(rdtgrp->kn);

out_free_rmid:

	rmid_free(rdtgrp->mon.rmid);

static void mkdir_resctrl_prepare_clean(struct resctrl_group *rgrp)

{

	kernfs_remove(rgrp->kn);

	kfree(rgrp);

	rdtgroup_remove(rgrp);

}

/*

{

	resctrl_group_rm_mon(rdtgrp, tmpmask);

	/*

	 * one extra hold on this, will drop when we kfree(rdtgrp)

	 * in resctrl_group_kn_unlock()

	 */

	kernfs_get(kn);

	kernfs_remove(rdtgrp->kn);

	return 0;

{

	resctrl_group_rm_ctrl(rdtgrp, tmpmask);

	/*

	 * one extra hold on this, will drop when we kfree(rdtgrp)

	 * in resctrl_group_kn_unlock()

	 */

	kernfs_get(kn);

	kernfs_remove(rdtgrp->kn);

	return 0;