mirror of
https://github.com/torvalds/linux
synced 2024-10-07 11:53:31 +00:00
iommufd: Use iommufd_access_change_ioas in iommufd_access_destroy_object
Update iommufd_access_destroy_object() to call the new iommufd_access_change_ioas() helper. It is impossible to legitimately race iommufd_access_destroy_object() with iommufd_access_change_ioas() as iommufd_access_destroy_object() is only called once the refcount reache zero, so any concurrent iommufd_access_change_ioas() is already UAFing the memory. Link: https://lore.kernel.org/r/f9fbeca2cde7f8515da18d689b3e02a6a40a5e14.1690523699.git.nicolinc@nvidia.com Reviewed-by: Kevin Tian <kevin.tian@intel.com> Signed-off-by: Nicolin Chen <nicolinc@nvidia.com> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
This commit is contained in:
parent
9227da7816
commit
6129b59fcd
|
@ -753,12 +753,10 @@ void iommufd_access_destroy_object(struct iommufd_object *obj)
|
|||
struct iommufd_access *access =
|
||||
container_of(obj, struct iommufd_access, obj);
|
||||
|
||||
if (access->ioas) {
|
||||
iopt_remove_access(&access->ioas->iopt, access,
|
||||
access->iopt_access_list_id);
|
||||
refcount_dec(&access->ioas->obj.users);
|
||||
access->ioas = NULL;
|
||||
}
|
||||
mutex_lock(&access->ioas_lock);
|
||||
if (access->ioas)
|
||||
WARN_ON(iommufd_access_change_ioas(access, NULL));
|
||||
mutex_unlock(&access->ioas_lock);
|
||||
iommufd_ctx_put(access->ictx);
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue