powerpc/npu-dma.c: Fix crash after __mmu_notifier_register failure
Michael Ellerman
patch-notifications at ellerman.id.au
Tue Mar 20 09:22:47 AEDT 2018
On Sat, 2018-02-10 at 03:20:06 UTC, Mark Hairgrove wrote:
> pnv_npu2_init_context wasn't checking the return code from
> __mmu_notifier_register. If __mmu_notifier_register failed, the
> npu_context was still assigned to the mm and the caller wasn't given any
> indication that things went wrong. Later on pnv_npu2_destroy_context would
> be called, which in turn called mmu_notifier_unregister and dropped
> mm->mm_count without having incremented it in the first place. This led to
> various forms of corruption like mm use-after-free and mm double-free.
>
> __mmu_notifier_register can fail with EINTR if a signal is pending, so
> this case can be frequent.
>
> This patch calls opal_npu_destroy_context on the failure paths, and makes
> sure not to assign mm->context.npu_context until past the failure points.
>
> Signed-off-by: Mark Hairgrove <mhairgrove at nvidia.com>
> Acked-By: Alistair Popple <alistair at popple.id.au>
Applied to powerpc next, thanks.
https://git.kernel.org/powerpc/c/720c84046c26444fe825f8614ddceb
cheers
More information about the Linuxppc-dev
mailing list