From patchwork Thu May 11 02:15:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhangfei Gao X-Patchwork-Id: 681327 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EB541C77B7C for ; Thu, 11 May 2023 02:16:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230041AbjEKCQY (ORCPT ); Wed, 10 May 2023 22:16:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47664 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229555AbjEKCQX (ORCPT ); Wed, 10 May 2023 22:16:23 -0400 Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 455CB273E for ; Wed, 10 May 2023 19:16:22 -0700 (PDT) Received: by mail-wr1-x435.google.com with SMTP id ffacd0b85a97d-304935cc79bso7505686f8f.2 for ; Wed, 10 May 2023 19:16:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1683771381; x=1686363381; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=c7NhY70nKePpFKW1tNMvcsBAqsK2Oz2JiYYqlXCn6ek=; b=VzlDVeswYJTkHS18WfZGHZ94kK1HMGNiS+QWCFjD+YQvom1A9OAwXhkdBvdBe22xb1 wo2+YNPN2MLaLnGPFkdicBRqtv0CqWMFPg8QmcSKYNV9CwYtC9HjcrmNGJ/D2dsCz3lb Z5PlRQDTuLjC9YYVM1X5I8xGDP/4vF1xu/GrZJojtbOuyCP+QJF9DWyY0/3Y99Q8a5ua eByKEUXFxYnoBU9GBECtwMdo6BJkmns+hZ8YD2GZV8eQReJfbHcXZ0zBy6866p8r3miX 9dO9UeQ30UHWgOkJMCSmPXFkmsjsPkCrdbwew7yxIcitgBsJRx24CfkS0WtbbIPC8y/0 lm4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683771381; x=1686363381; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=c7NhY70nKePpFKW1tNMvcsBAqsK2Oz2JiYYqlXCn6ek=; b=gktIjNYbTeMTIAsLYg92h5gNceHTdm7fiAX+qFhyp20V8y7PV2u3zYeFl91xnKSz4q F3AhxOO13VvcyDQ5eR1oIQ0KCiBcmIarIFi7ClAR+nhstKjZV3OReuiYr9bhST4gM4oJ EIJb5SWQnMJSzKzwi7l4Tnh1xt3lQDRS1fmbFsxeXAYBK3RTRfds/0OtQc/2AIDz6CF0 O5acr+JmNF8qdAzk7VQtTetZovu0BJQMNYAMwWEdQB/sY3XbY3q4hHvSP25cGE7lbbSg fT8dHPjI3qvPaJN88HHZI8A5pjsrZRmBeOPqyzoSjpf71yiKyqz9c0TO/tz1+CjGnUd7 DKdw== X-Gm-Message-State: AC+VfDwMlf1b3qSmLWKQWEq7sj2djIn1Nl73SQ1g38p4Y982l7+cXB3k 4PZXHZuQVUYWZIAKuWWa5WWl7Q== X-Google-Smtp-Source: ACHHUZ7Sd+QhrUQhXDP5FYiCHBKYHYlWW2eiRLWyVaZMfV2uj0aNLztC4C2YUrLSDZA108qzs4//xg== X-Received: by 2002:a5d:45c7:0:b0:306:3bac:e235 with SMTP id b7-20020a5d45c7000000b003063bace235mr11720300wrs.10.1683771380676; Wed, 10 May 2023 19:16:20 -0700 (PDT) Received: from localhost.localdomain ([64.64.123.10]) by smtp.gmail.com with ESMTPSA id j18-20020a5d4492000000b003021288a56dsm18945908wrq.115.2023.05.10.19.16.14 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 May 2023 19:16:20 -0700 (PDT) From: Zhangfei Gao To: Greg Kroah-Hartman , Arnd Bergmann , Herbert Xu , jean-philippe , Wangzhou , Jonathan Cameron Cc: linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, iommu@lists.linux.dev, acc@lists.linaro.org, Zhangfei Gao , Weili Qian Subject: [PATCH] uacce: use filep->f_mapping to replace inode->i_mapping Date: Thu, 11 May 2023 10:15:53 +0800 Message-Id: <20230511021553.44318-1-zhangfei.gao@linaro.org> X-Mailer: git-send-email 2.39.2 (Apple Git-143) MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org The inode can be different in a container, for example, a docker and host both open the same uacce parent device, which uses the same uacce struct but different inode, so uacce->inode is not enough. What's worse, when docker stops, the inode will be destroyed as well, causing use-after-free in uacce_remove. So use q->filep->f_mapping to replace uacce->inode->i_mapping. Signed-off-by: Weili Qian Signed-off-by: Zhangfei Gao --- drivers/misc/uacce/uacce.c | 16 +++++++++------- include/linux/uacce.h | 4 ++-- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c index 346bd7cf2e94..740ace422baa 100644 --- a/drivers/misc/uacce/uacce.c +++ b/drivers/misc/uacce/uacce.c @@ -166,8 +166,8 @@ static int uacce_fops_open(struct inode *inode, struct file *filep) init_waitqueue_head(&q->wait); filep->private_data = q; - uacce->inode = inode; q->state = UACCE_Q_INIT; + q->private_data = filep; mutex_init(&q->mutex); list_add(&q->list, &uacce->queues); mutex_unlock(&uacce->mutex); @@ -574,12 +574,6 @@ void uacce_remove(struct uacce_device *uacce) if (!uacce) return; - /* - * unmap remaining mapping from user space, preventing user still - * access the mmaped area while parent device is already removed - */ - if (uacce->inode) - unmap_mapping_range(uacce->inode->i_mapping, 0, 0, 1); /* * uacce_fops_open() may be running concurrently, even after we remove @@ -589,6 +583,8 @@ void uacce_remove(struct uacce_device *uacce) mutex_lock(&uacce->mutex); /* ensure no open queue remains */ list_for_each_entry_safe(q, next_q, &uacce->queues, list) { + struct file *filep = q->private_data; + /* * Taking q->mutex ensures that fops do not use the defunct * uacce->ops after the queue is disabled. @@ -597,6 +593,12 @@ void uacce_remove(struct uacce_device *uacce) uacce_put_queue(q); mutex_unlock(&q->mutex); uacce_unbind_queue(q); + + /* + * unmap remaining mapping from user space, preventing user still + * access the mmaped area while parent device is already removed + */ + unmap_mapping_range(filep->f_mapping, 0, 0, 1); } /* disable sva now since no opened queues */ diff --git a/include/linux/uacce.h b/include/linux/uacce.h index 0a81c3dfd26c..64b800b74436 100644 --- a/include/linux/uacce.h +++ b/include/linux/uacce.h @@ -86,6 +86,7 @@ enum uacce_q_state { * @state: queue state machine * @pasid: pasid associated to the mm * @handle: iommu_sva handle returned by iommu_sva_bind_device() + * @private_data: private data for saving filep */ struct uacce_queue { struct uacce_device *uacce; @@ -97,6 +98,7 @@ struct uacce_queue { enum uacce_q_state state; u32 pasid; struct iommu_sva *handle; + void *private_data; }; /** @@ -114,7 +116,6 @@ struct uacce_queue { * @mutex: protects uacce operation * @priv: private pointer of the uacce * @queues: list of queues - * @inode: core vfs */ struct uacce_device { const char *algs; @@ -130,7 +131,6 @@ struct uacce_device { struct mutex mutex; void *priv; struct list_head queues; - struct inode *inode; }; #if IS_ENABLED(CONFIG_UACCE)