On Wed, Apr 19, 2017 at 05:39:26PM +1000, Russell Currey wrote: >eeh_handle_special_event() is called when an EEH event is detected but >can't be narrowed down to a specific PE. This function looks through >every PE to find one in an erroneous state, then calls the regular event >handler eeh_handle_normal_event() once it knows which PE has an error. > >However, if eeh_handle_normal_event() found that the PE cannot possibly >be recovered, it will free it, rendering the passed PE stale. >This leads to a use after free in eeh_handle_special_event() as it attempts to >clear the "recovering" state on the PE after eeh_handle_normal_event() returns. > >Thus, make sure the PE is valid when attempting to clear state in >eeh_handle_special_event(). > >Cc: <sta...@vger.kernel.org> #3.10+ >Reported-by: Alexey Kardashevskiy <a...@ozlabs.ru> >Signed-off-by: Russell Currey <rus...@russell.cc>
Reviewed-by: Gavin Shan <gws...@linux.vnet.ibm.com>
