diff options
| author | Pan Bian <bianpan2016@163.com> | 2017-04-23 06:23:21 -0400 |
|---|---|---|
| committer | Joerg Roedel <jroedel@suse.de> | 2017-04-24 06:33:34 -0400 |
| commit | 73dbd4a4230216b6a5540a362edceae0c9b4876b (patch) | |
| tree | 1af257e9a90628ab2e0e97ba87cbe342764fc455 | |
| parent | 5a7ad1146caa895ad718a534399e38bd2ba721b7 (diff) | |
iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid()
In function amd_iommu_bind_pasid(), the control flow jumps
to label out_free when pasid_state->mm and mm is NULL. And
mmput(mm) is called. In function mmput(mm), mm is
referenced without validation. This will result in a NULL
dereference bug. This patch fixes the bug.
Signed-off-by: Pan Bian <bianpan2016@163.com>
Fixes: f0aac63b873b ('iommu/amd: Don't hold a reference to mm_struct')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
| -rw-r--r-- | drivers/iommu/amd_iommu_v2.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/iommu/amd_iommu_v2.c b/drivers/iommu/amd_iommu_v2.c index 063343909b0d..6629c472eafd 100644 --- a/drivers/iommu/amd_iommu_v2.c +++ b/drivers/iommu/amd_iommu_v2.c | |||
| @@ -696,9 +696,9 @@ out_clear_state: | |||
| 696 | 696 | ||
| 697 | out_unregister: | 697 | out_unregister: |
| 698 | mmu_notifier_unregister(&pasid_state->mn, mm); | 698 | mmu_notifier_unregister(&pasid_state->mn, mm); |
| 699 | mmput(mm); | ||
| 699 | 700 | ||
| 700 | out_free: | 701 | out_free: |
| 701 | mmput(mm); | ||
| 702 | free_pasid_state(pasid_state); | 702 | free_pasid_state(pasid_state); |
| 703 | 703 | ||
| 704 | out: | 704 | out: |