Re: [PATCH v4] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os

[Zheng Hacker]

Dimitri Sivanich <sivanich@xxxxxxx> 于2022年10月19日周三 22:00写道：

> In gru_set_context_option(), you are calling gru_unload_context() for all
> non-zero 'ret' values, but there are other instances where non-zero 'ret'
> values are being set that should not call gru_unload_context().  Maybe do
> this instead:
>                         if (gru_check_context_placement(gts)) {
>                                 gru_unlock_gts(gts);
>                                 gru_unload_context(gts, 1);
>                                 return -EINVAL;
>                         }
>
> >               }
> >               break;
> >       case sco_gseg_owner:

Yes, that's correct. I'll fix it later.

> > @@ -727,14 +728,16 @@ void gru_check_context_placement(struct gru_thread_state *gts)
> >        */
> >       gru = gts->ts_gru;

> > -     gru_check_context_placement(gts);
> > +     ret = gru_check_context_placement(gts);
> > +     if (ret) {
>
> One suggestion, there is now no need to declare 'ret'.  Do this instead:
>         if (gru_check_context_placement(gts)) {
>
> > +             preempt_enable();
> > +             mutex_unlock(&gts->ts_ctxlock);
> > +             gru_unload_context(gts, 1);
> > +             return VM_FAULT_NOPAGE;
> > +     }
> >
> >       if (!gts->ts_gru) {
> >               STAT(load_user_context);

Get it! Thanks agagin for your advice :)

Regards,
Zheng Wang