mirror of
https://github.com/adulau/aha.git
synced 2024-12-29 12:16:20 +00:00
gru: fix potential use-after-free when purging GRU tlbs
Fix potential SGI GRU bug that could cause a use-after-free. If one thread in a task is flushing the GRU and another thread destroys the GRU context, there is the potential to access a table after it has been freed. Copy the gms pointer to a local variable before unlocking the gts table. Note that no refcnt is needed for the gms - the reference is held indirectly by the task's mm_struct. Signed-off-by: Jack Steiner <steiner@sgi.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
b1b19fcfa4
commit
1926ee85a9
1 changed files with 3 additions and 1 deletions
|
@ -702,6 +702,7 @@ int gru_user_flush_tlb(unsigned long arg)
|
||||||
{
|
{
|
||||||
struct gru_thread_state *gts;
|
struct gru_thread_state *gts;
|
||||||
struct gru_flush_tlb_req req;
|
struct gru_flush_tlb_req req;
|
||||||
|
struct gru_mm_struct *gms;
|
||||||
|
|
||||||
STAT(user_flush_tlb);
|
STAT(user_flush_tlb);
|
||||||
if (copy_from_user(&req, (void __user *)arg, sizeof(req)))
|
if (copy_from_user(&req, (void __user *)arg, sizeof(req)))
|
||||||
|
@ -714,8 +715,9 @@ int gru_user_flush_tlb(unsigned long arg)
|
||||||
if (!gts)
|
if (!gts)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
gru_flush_tlb_range(gts->ts_gms, req.vaddr, req.len);
|
gms = gts->ts_gms;
|
||||||
gru_unlock_gts(gts);
|
gru_unlock_gts(gts);
|
||||||
|
gru_flush_tlb_range(gms, req.vaddr, req.len);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue