habanalabs: fix use-after-free bug

When the code iterates over the free list of physical pages nodes, it
deletes the physical page node which is used as the iterator.

Therefore, we need to use the safe version of the iteration to prevent
use-after-free.

Signed-off-by: Oded Gabbay <ogabbay@kernel.org>

diff --git a/drivers/misc/habanalabs/common/memory.c b/drivers/misc/habanalabs/common/memory.c
index 4778f23d809839fed1d16a3edd49c904d9fe598d..348daac621eecb12b516b0770e6069b6583d9f55 100644 (file)
--- a/drivers/misc/habanalabs/common/memory.c
+++ b/drivers/misc/habanalabs/common/memory.c
@@ -2860,7 +2860,7 @@ int hl_vm_ctx_init(struct hl_ctx *ctx)
  */
 void hl_vm_ctx_fini(struct hl_ctx *ctx)
 {
-       struct hl_vm_phys_pg_pack *phys_pg_list;
+       struct hl_vm_phys_pg_pack *phys_pg_list, *tmp_phys_node;
        struct hl_device *hdev = ctx->hdev;
        struct hl_vm_hash_node *hnode;
        struct hl_vm *vm = &hdev->vm;
@@ -2913,7 +2913,7 @@ void hl_vm_ctx_fini(struct hl_ctx *ctx)
                }
        spin_unlock(&vm->idr_lock);
 
-       list_for_each_entry(phys_pg_list, &free_list, node)
+       list_for_each_entry_safe(phys_pg_list, tmp_phys_node, &free_list, node)
                free_phys_pg_pack(hdev, phys_pg_list);
 
        va_range_fini(hdev, ctx->va_range[HL_VA_RANGE_TYPE_DRAM]);