Commit 57b6f02f authored by Oded Gabbay's avatar Oded Gabbay

habanalabs: fix use-after-free bug

When the code iterates over the free list of physical pages nodes, it
deletes the physical page node which is used as the iterator.

Therefore, we need to use the safe version of the iteration to prevent
use-after-free.
Signed-off-by: default avatarOded Gabbay <ogabbay@kernel.org>
parent 2a835946
...@@ -2860,7 +2860,7 @@ int hl_vm_ctx_init(struct hl_ctx *ctx) ...@@ -2860,7 +2860,7 @@ int hl_vm_ctx_init(struct hl_ctx *ctx)
*/ */
void hl_vm_ctx_fini(struct hl_ctx *ctx) void hl_vm_ctx_fini(struct hl_ctx *ctx)
{ {
struct hl_vm_phys_pg_pack *phys_pg_list; struct hl_vm_phys_pg_pack *phys_pg_list, *tmp_phys_node;
struct hl_device *hdev = ctx->hdev; struct hl_device *hdev = ctx->hdev;
struct hl_vm_hash_node *hnode; struct hl_vm_hash_node *hnode;
struct hl_vm *vm = &hdev->vm; struct hl_vm *vm = &hdev->vm;
...@@ -2913,7 +2913,7 @@ void hl_vm_ctx_fini(struct hl_ctx *ctx) ...@@ -2913,7 +2913,7 @@ void hl_vm_ctx_fini(struct hl_ctx *ctx)
} }
spin_unlock(&vm->idr_lock); spin_unlock(&vm->idr_lock);
list_for_each_entry(phys_pg_list, &free_list, node) list_for_each_entry_safe(phys_pg_list, tmp_phys_node, &free_list, node)
free_phys_pg_pack(hdev, phys_pg_list); free_phys_pg_pack(hdev, phys_pg_list);
va_range_fini(hdev, ctx->va_range[HL_VA_RANGE_TYPE_DRAM]); va_range_fini(hdev, ctx->va_range[HL_VA_RANGE_TYPE_DRAM]);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment