From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753776AbdDKHOv (ORCPT <rfc822;w@1wt.eu>);
        Tue, 11 Apr 2017 03:14:51 -0400
Received: from mx1.redhat.com ([209.132.183.28]:43440 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752398AbdDKHOu (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 11 Apr 2017 03:14:50 -0400
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 0CB4FC04B326
Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=kernel.org
Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=none smtp.mailfrom=jolsa@kernel.org
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 0CB4FC04B326
From: Jiri Olsa <jolsa@kernel.org>
To: Fenghua Yu <fenghua.yu@intel.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>,
        Peter Zijlstra <peterz@infradead.org>, Mike Galbraith <efault@gmx.de>,
        Shaohua Li <shli@fb.com>, lkml <linux-kernel@vger.kernel.org>,
        Ingo Molnar <mingo@kernel.org>, Thomas Gleixner <tglx@linutronix.de>
Subject: [PATCH] x86/intel_rdt: Fix locking in rdtgroup_schemata_write
Date: Tue, 11 Apr 2017 09:14:46 +0200
Message-Id: <20170411071446.15241-1-jolsa@kernel.org>
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Tue, 11 Apr 2017 07:14:49 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Currently we release the schemata lock before we free the
resource's temporary tmp_cbms allocation, which could be
already used another concurrent access and crashed like:

  BUG: unable to handle kernel NULL pointer dereference at           (null)
  IP: rdtgroup_schemata_write+0x2d1/0x460
  ...
  SNIP
  ...
  rdtgroup_file_write+0x1b/0x30
  kernfs_fop_write+0xe0/0x160
  vfs_write+0xbd/0x1e0
  SyS_write+0x7f/0xe0
  system_call_fastpath+0x16/0x1b

Moving the unlock after the release code.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Shaohua Li <shli@fb.com>
---
 arch/x86/kernel/cpu/intel_rdt_schemata.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/intel_rdt_schemata.c b/arch/x86/kernel/cpu/intel_rdt_schemata.c
index f369cb8db0d5..badd2b31a560 100644
--- a/arch/x86/kernel/cpu/intel_rdt_schemata.c
+++ b/arch/x86/kernel/cpu/intel_rdt_schemata.c
@@ -200,11 +200,11 @@ ssize_t rdtgroup_schemata_write(struct kernfs_open_file *of,
 	}
 
 out:
-	rdtgroup_kn_unlock(of->kn);
 	for_each_enabled_rdt_resource(r) {
 		kfree(r->tmp_cbms);
 		r->tmp_cbms = NULL;
 	}
+	rdtgroup_kn_unlock(of->kn);
 	return ret ?: nbytes;
 }
 
-- 
2.9.3