cxl: Fix leaking pid refs in some error paths

In some error paths in functions cxl_start_context and afu_ioctl_start_work pid references to the current & group-leader tasks can leak after they are taken. This patch fixes these error paths to release these pid references before exiting the error path. Fixes: 7b8ad495d592 ("cxl: Fix DSI misses when the context owning task exits") Cc: stable@vger.kernel.org # v4.5+ Reviewed-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com> Reported-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com> Signed-off-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com> Acked-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
author: Vaibhav Jain <vaibhav@linux.vnet.ibm.com> 2016-10-21 05:23:53 -0400
committer: Michael Ellerman <mpe@ellerman.id.au> 2016-10-23 20:38:27 -0400
commit: a05b82d5149dfeef05254a11c3636a89a854520a (patch)
tree: 754443158c6580a98fe669086cf97f981d37d1bb /drivers/misc
parent: 80f23935cadb1c654e81951f5a8b7ceae0acc1b4 (diff)
2 files changed, 15 insertions, 9 deletions
diff --git a/drivers/misc/cxl/api.c b/drivers/misc/cxl/api.c
index af23d7dfe752..2e5233b60971 100644
--- a/drivers/misc/cxl/api.c
+++ b/drivers/misc/cxl/api.c
@@ -247,7 +247,9 @@ int cxl_start_context(struct cxl_context *ctx, u64 wed,
        cxl_ctx_get();
        if ((rc = cxl_ops->attach_process(ctx, kernel, wed, 0))) {
+                put_pid(ctx->glpid);
                put_pid(ctx->pid);
+                ctx->glpid = ctx->pid = NULL;
                cxl_adapter_context_put(ctx->afu->adapter);
                cxl_ctx_put();
                goto out;
diff --git a/drivers/misc/cxl/file.c b/drivers/misc/cxl/file.c
index d0b421f49b39..77080cc5fa0a 100644
--- a/drivers/misc/cxl/file.c
+++ b/drivers/misc/cxl/file.c
@@ -194,6 +194,16 @@ static long afu_ioctl_start_work(struct cxl_context *ctx,
        ctx->mmio_err_ff = !!(work.flags & CXL_START_WORK_ERR_FF);
        /*
+         * Increment the mapped context count for adapter. This also checks
+         * if adapter_context_lock is taken.
+         */
+        rc = cxl_adapter_context_get(ctx->afu->adapter);
+        if (rc) {
+                afu_release_irqs(ctx, ctx);
+                goto out;
+        }
+        /*
         * We grab the PID here and not in the file open to allow for the case
         * where a process (master, some daemon, etc) has opened the chardev on
         * behalf of another process, so the AFU's mm gets bound to the process
@@ -205,15 +215,6 @@ static long afu_ioctl_start_work(struct cxl_context *ctx,
        ctx->pid = get_task_pid(current, PIDTYPE_PID);
        ctx->glpid = get_task_pid(current->group_leader, PIDTYPE_PID);
-        /*
-         * Increment the mapped context count for adapter. This also checks
-         * if adapter_context_lock is taken.
-         */
-        rc = cxl_adapter_context_get(ctx->afu->adapter);
-        if (rc) {
-                afu_release_irqs(ctx, ctx);
-                goto out;
-        }
        trace_cxl_attach(ctx, work.work_element_descriptor, work.num_interrupts, amr);
@@ -221,6 +222,9 @@ static long afu_ioctl_start_work(struct cxl_context *ctx,
                                                        amr))) {
                afu_release_irqs(ctx, ctx);
                cxl_adapter_context_put(ctx->afu->adapter);
+                put_pid(ctx->glpid);
+                put_pid(ctx->pid);
+                ctx->glpid = ctx->pid = NULL;
                goto out;
        }
author	Vaibhav Jain <vaibhav@linux.vnet.ibm.com>	2016-10-21 05:23:53 -0400
committer	Michael Ellerman <mpe@ellerman.id.au>	2016-10-23 20:38:27 -0400
commit	a05b82d5149dfeef05254a11c3636a89a854520a (patch)
tree	754443158c6580a98fe669086cf97f981d37d1bb /drivers/misc
parent	80f23935cadb1c654e81951f5a8b7ceae0acc1b4 (diff)