On Fri, Apr 08, 2022 at 09:35:23AM -0400, Dennis Dalessandro wrote:
> From: Douglas Miller <doug.miller@xxxxxxxxxxxxxxxxxxxx>
>
> Under certain conditions, such as MPI_Abort, the hfi1 cleanup
> code may represent the last reference held on the task mm.
> hfi1_mmu_rb_unregister() then drops the last reference and the mm is
> freed before the final use in hfi1_release_user_pages(). A new task
> may allocate the mm structure while it is still being used, resulting in
> problems. One manifestation is corruption of the mmap_sem counter leading
> to a hang in down_write(). Another is corruption of an mm struct that
> is in use by another task.
>
> Fixes: 3d2a9d642512 ("IB/hfi1: Ensure correct mm is used at all times")
> Cc: <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Douglas Miller <doug.miller@xxxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Dennis Dalessandro <dennis.dalessandro@xxxxxxxxxxxxxxxxxxxx>
> ---
> drivers/infiniband/hw/hfi1/mmu_rb.c | 6 ++++++
> 1 file changed, 6 insertions(+)
Applied to for-rc, thanks
Jason
