APPLIED[C/Unstable]: [SRU]][Bionic][PATCH 1/1] ocxl: Fix page fault handler in case of fault on dying process

[Seth Forshee]

On Mon, Jul 30, 2018 at 12:31:03PM -0400, Joseph Salisbury wrote:
> From: Frederic Barrat <fbarrat at linux.ibm.com>
> 
> BugLink: http://bugs.launchpad.net/bugs/1781436
> 
> If a process exits without doing proper cleanup, there's a window
> where an opencapi device can try to access the memory of the dying
> process and may trigger a page fault. That's an expected scenario and
> the ocxl driver holds a reference on the mm_struct of the process
> until the opencapi device is notified of the process exiting.
> However, if mm_users is already at 0, i.e. the address space of the
> process has already been destroyed, the driver shouldn't try resolving
> the page fault, as it will fail, but it can also try accessing already
> freed data.
> 
> It is fixed by only calling the bottom half of the page fault handler
> if mm_users is greater than 0 and get a reference on mm_users instead
> of mm_count. Otherwise, we can safely return a translation fault to
> the device, as its associated memory context is being removed. The
> opencapi device will be properly cleaned up shortly after when closing
> the file descriptors.
> 
> Fixes: 5ef3166e8a32 ("ocxl: Driver code for 'generic' opencapi devices")
> Cc: stable at vger.kernel.org # v4.16+
> Signed-off-by: Frederic Barrat <fbarrat at linux.ibm.com>
> Reviewed-By: Alastair D'Silva <alastair at d-silva.org>
> Acked-by: Andrew Donnellan <andrew.donnellan at au1.ibm.com>
> Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
> (cherry picked from linux-next commit d497ebf5fb3a026c0817f8c96cde578787f24093)
> Signed-off-by: Joseph Salisbury <joseph.salisbury at canonical.com>

Applied to cosmic/master-next and unstable/master, thanks!