Commit b4bda59b authored Jun 07, 2023 by Nicholas Piggin Committed by Michael Ellerman Jun 15, 2023

powerpc/64s: Fix VAS mm use after free



The refcount on mm is dropped before the coprocessor is detached.

Reported-by: Sachin Sant <sachinp@linux.ibm.com>
Fixes: 7bc6f71b ("powerpc/vas: Define and use common vas_window struct")
Fixes: b22f2d88 ("powerpc/pseries/vas: Integrate API with open/close windows")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Tested-by: Sachin Sant <sachinp@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20230607101024.14559-1-npiggin@gmail.com

parent 27be2456

arch/powerpc/platforms/powernv/vas-window.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1310,8 +1310,8 @@ int vas_win_close(struct vas_window *vwin)
		/* if send window, drop reference to matching receive window */
		if (window->tx_win) {
		if (window->user_win) {
		put_vas_user_win_ref(&vwin->task_ref);
		mm_context_remove_vas_window(vwin->task_ref.mm);
		put_vas_user_win_ref(&vwin->task_ref);
		}
		put_rx_win(window->rxwin);
		}

arch/powerpc/platforms/pseries/vas.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -507,8 +507,8 @@ static int vas_deallocate_window(struct vas_window *vwin)
		vascaps[win->win_type].nr_open_windows--;
		mutex_unlock(&vas_pseries_mutex);

		put_vas_user_win_ref(&vwin->task_ref);
		mm_context_remove_vas_window(vwin->task_ref.mm);
		put_vas_user_win_ref(&vwin->task_ref);

		kfree(win);
		return 0;