On Tue, Jun 06, 2017 at 05:41:55PM +1000, Russell Currey wrote:
> eeh_handle_special_event() is called when an EEH event is detected but
> can't be narrowed down to a specific PE. This function looks through
> every PE to find one in an erroneous state, then calls the regular event
> handler eeh_handle_normal_event() once it knows which PE has an error.
>
> However, if eeh_handle_normal_event() found that the PE cannot possibly
> be recovered, it will free it, rendering the passed PE stale.
> This leads to a use after free in eeh_handle_special_event() as it attempts to
> clear the "recovering" state on the PE after eeh_handle_normal_event() returns.
>
> Thus, make sure the PE is valid when attempting to clear state in
> eeh_handle_special_event().
>
> Fixes: 8a6b1bc70dbb ("powerpc/eeh: EEH core to handle special event")
> Cc: stable@xxxxxxxxxxxxxxx # v3.11+
> Reported-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
> Signed-off-by: Russell Currey <ruscur@xxxxxxxxxx>
> Reviewed-by: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
> Signed-off-by: Michael Ellerman <mpe@xxxxxxxxxxxxxx>
> ---
> This is a backport for upstream patch daeba2956f32f91f3493788ff6ee02fb1b2f02fa
> that applies to 3.18 and 4.4.
Thanks for the patch, now applied.
greg k-h