tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

uacce: use q->mapping to replace inode->i_mapping

The inode can be different in a container, for example, a docker and host
both open the same uacce parent device, which uses the same uacce struct
but different inode, so uacce->inode is not enough.

What's worse, when docker stops, the inode will be destroyed as well,
causing use-after-free in uacce_remove.

So use q->mapping to replace uacce->inode->i_mapping.

Signed-off-by: Weili Qian <qianweili@huawei.com>
Signed-off-by: Zhangfei Gao <zhangfei.gao@linaro.org>
Link: https://lore.kernel.org/r/20230511095921.9331-2-zhangfei.gao@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Zhangfei Gao and committed by
Greg Kroah-Hartman df1b056d 24ee010b

+9 -9
+7 -7
drivers/misc/uacce/uacce.c
··· 166 166 167 167 init_waitqueue_head(&q->wait); 168 168 filep->private_data = q; 169 - uacce->inode = inode; 170 169 q->state = UACCE_Q_INIT; 170 + q->mapping = filep->f_mapping; 171 171 mutex_init(&q->mutex); 172 172 list_add(&q->list, &uacce->queues); 173 173 mutex_unlock(&uacce->mutex); ··· 574 574 575 575 if (!uacce) 576 576 return; 577 - /* 578 - * unmap remaining mapping from user space, preventing user still 579 - * access the mmaped area while parent device is already removed 580 - */ 581 - if (uacce->inode) 582 - unmap_mapping_range(uacce->inode->i_mapping, 0, 0, 1); 583 577 584 578 /* 585 579 * uacce_fops_open() may be running concurrently, even after we remove ··· 591 597 uacce_put_queue(q); 592 598 mutex_unlock(&q->mutex); 593 599 uacce_unbind_queue(q); 600 + 601 + /* 602 + * unmap remaining mapping from user space, preventing user still 603 + * access the mmaped area while parent device is already removed 604 + */ 605 + unmap_mapping_range(q->mapping, 0, 0, 1); 594 606 } 595 607 596 608 /* disable sva now since no opened queues */
+2 -2
include/linux/uacce.h
··· 86 86 * @state: queue state machine 87 87 * @pasid: pasid associated to the mm 88 88 * @handle: iommu_sva handle returned by iommu_sva_bind_device() 89 + * @mapping: user space mapping of the queue 89 90 */ 90 91 struct uacce_queue { 91 92 struct uacce_device *uacce; ··· 98 97 enum uacce_q_state state; 99 98 u32 pasid; 100 99 struct iommu_sva *handle; 100 + struct address_space *mapping; 101 101 }; 102 102 103 103 /** ··· 116 114 * @mutex: protects uacce operation 117 115 * @priv: private pointer of the uacce 118 116 * @queues: list of queues 119 - * @inode: core vfs 120 117 */ 121 118 struct uacce_device { 122 119 const char *algs; ··· 131 130 struct mutex mutex; 132 131 void *priv; 133 132 struct list_head queues; 134 - struct inode *inode; 135 133 }; 136 134 137 135 #if IS_ENABLED(CONFIG_UACCE)