s390/mm: Fix potential use-after-free in __crst_table_upgrade()

The pointer to the mm_struct which is passed to __crst_table_upgrade() may
only be dereferenced if it is identical to current->active_mm. Otherwise
the current task has no reference to the mm_struct and it may already be
freed. In such a case this would result in a use-after-free bug.

Make sure this use-after-free scenario does not happen by moving the code,
which dereferences the mm_struct pointer, after the check which verifies
that the pointer is identical to current->active_mm, like it was before
lazy ASCE handling was reimplemented.

Fixes: 8b72f5a ("s390/mm: Reimplement lazy ASCE handling")
Reviewed-by: Gerald Schaefer <[email protected]>
Signed-off-by: Heiko Carstens <[email protected]>

Author: hcahca

arch/s390/mm/pgalloc.c

@@ -40,9 +40,9 @@ static void __crst_table_upgrade(void *arg)
 	struct mm_struct *mm = arg;
 	struct ctlreg asce;
 
-	asce.val = mm->context.asce;
 	/* change all active ASCEs to avoid the creation of new TLBs */
 	if (current->active_mm == mm) {
+		asce.val = mm->context.asce;
 		get_lowcore()->user_asce = asce;
 		local_ctl_load(7, &asce);
 		if (!test_thread_flag(TIF_ASCE_PRIMARY))