On Sat, 2018-02-10 at 03:20:06 UTC, Mark Hairgrove wrote: > pnv_npu2_init_context wasn't checking the return code from > __mmu_notifier_register. If __mmu_notifier_register failed, the > npu_context was still assigned to the mm and the caller wasn't given any > indication that things went wrong. Later on pnv_npu2_destroy_context would > be called, which in turn called mmu_notifier_unregister and dropped > mm->mm_count without having incremented it in the first place. This led to > various forms of corruption like mm use-after-free and mm double-free. > > __mmu_notifier_register can fail with EINTR if a signal is pending, so > this case can be frequent. > > This patch calls opal_npu_destroy_context on the failure paths, and makes > sure not to assign mm->context.npu_context until past the failure points. > > Signed-off-by: Mark Hairgrove <mhairgr...@nvidia.com> > Acked-By: Alistair Popple <alist...@popple.id.au>
Applied to powerpc next, thanks. https://git.kernel.org/powerpc/c/720c84046c26444fe825f8614ddceb cheers
