Currently we release the schemata lock before we free the
resource's temporary tmp_cbms allocation, which could be
already used another concurrent access and crashed like:
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: rdtgroup_schemata_write+0x2d1/0x460
...
SNIP
...
rdtgroup_file_write+0x1b/0x30
kernfs_fop_write+0xe0/0x160
vfs_write+0xbd/0x1e0
SyS_write+0x7f/0xe0
system_call_fastpath+0x16/0x1b
Moving the unlock after the release code.
Signed-off-by: Jiri Olsa <jo...@kernel.org>
Cc: Fenghua Yu <fenghua...@intel.com>
Cc: Peter Zijlstra <a.p.zijls...@chello.nl>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Mike Galbraith <efa...@gmx.de>
Cc: Shaohua Li <s...@fb.com>
---
arch/x86/kernel/cpu/intel_rdt_schemata.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/intel_rdt_schemata.c
b/arch/x86/kernel/cpu/intel_rdt_schemata.c
index f369cb8db0d5..badd2b31a560 100644
--- a/arch/x86/kernel/cpu/intel_rdt_schemata.c
+++ b/arch/x86/kernel/cpu/intel_rdt_schemata.c
@@ -200,11 +200,11 @@ ssize_t rdtgroup_schemata_write(struct kernfs_open_file
*of,
}
out:
- rdtgroup_kn_unlock(of->kn);
for_each_enabled_rdt_resource(r) {
kfree(r->tmp_cbms);
r->tmp_cbms = NULL;
}
+ rdtgroup_kn_unlock(of->kn);
return ret ?: nbytes;
}
--
2.9.3
