habanalabs: fix use-after-free bug

When the code iterates over the free list of physical pages nodes, it deletes the physical page node which is used as the iterator. Therefore, we need to use the safe version of the iteration to prevent use-after-free. Signed-off-by: Oded Gabbay <ogabbay@kernel.org>
author: Oded Gabbay <ogabbay@kernel.org> 2022-01-30 17:39:54 +0200
committer: Oded Gabbay <ogabbay@kernel.org> 2022-02-28 14:22:04 +0200
commit: 57b6f02fff3e2a8c394bbde6724950d492160356 (patch)
tree: 65f8380f153d27273ec8e2743ade9de76e3ecf91
parent: 2a835946ee49462fc18eb6db9b53be789acaf2e5 (diff)
download: iio-57b6f02fff3e2a8c394bbde6724950d492160356.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/misc/habanalabs/common/memory.c b/drivers/misc/habanalabs/common/memory.c
index 4778f23d809839..348daac621eecb 100644
--- a/drivers/misc/habanalabs/common/memory.c
+++ b/drivers/misc/habanalabs/common/memory.c
@@ -2860,7 +2860,7 @@ int hl_vm_ctx_init(struct hl_ctx *ctx)
  */
 void hl_vm_ctx_fini(struct hl_ctx *ctx)
 {
-	struct hl_vm_phys_pg_pack *phys_pg_list;
+	struct hl_vm_phys_pg_pack *phys_pg_list, *tmp_phys_node;
 	struct hl_device *hdev = ctx->hdev;
 	struct hl_vm_hash_node *hnode;
 	struct hl_vm *vm = &hdev->vm;
@@ -2913,7 +2913,7 @@ void hl_vm_ctx_fini(struct hl_ctx *ctx)
 		}
 	spin_unlock(&vm->idr_lock);
 
-	list_for_each_entry(phys_pg_list, &free_list, node)
+	list_for_each_entry_safe(phys_pg_list, tmp_phys_node, &free_list, node)
 		free_phys_pg_pack(hdev, phys_pg_list);
 
 	va_range_fini(hdev, ctx->va_range[HL_VA_RANGE_TYPE_DRAM]);
author	Oded Gabbay <ogabbay@kernel.org>	2022-01-30 17:39:54 +0200
committer	Oded Gabbay <ogabbay@kernel.org>	2022-02-28 14:22:04 +0200
commit	57b6f02fff3e2a8c394bbde6724950d492160356 (patch)
tree	65f8380f153d27273ec8e2743ade9de76e3ecf91
parent	2a835946ee49462fc18eb6db9b53be789acaf2e5 (diff)
download	iio-57b6f02fff3e2a8c394bbde6724950d492160356.tar.gz