iommufd: Fix refcounting race during mmap
The owner object of the imap can be destroyed while the imap remains in the mtree. So access to the imap pointer without holding locks is racy with destruction. The imap is safe to access outside the lock once a users refcount is obtained, the owner object cannot start destruction until users is 0. Thus the users refcount should not be obtained at the end of iommufd_fops_mmap() but instead inside the mtree lock held around the mtree_load(). Move the refcount there and use refcount_inc_not_zero() as we can have a 0 refcount inside the mtree during destruction races. Link: https://patch.msgid.link/r/0-v1-e6faace50971+3cc-iommufd_mmap_fix_jgg@nvidia.com Cc: stable@vger.kernel.org Fixes: 56e9a0d8 ("iommufd: Add mmap interface") Reviewed-by:Kevin Tian <kevin.tian@intel.com> Reviewed-by:
Nicolin Chen <nicolinc@nvidia.com> Signed-off-by:
Jason Gunthorpe <jgg@nvidia.com>
Loading
Please sign in to comment