From: Zhou Guanghui <zhouguanghui1@huawei.com> of some abnormal branches ascend inclusion category: feature bugzilla: NA CVE: NA ------------------------------------------------- 1. sp_group_add_task: when spg invalid, low 32bits of pointer spg will be returned. This will be considered a correct spg id. 2.sp_alloc: The error branch goto out, then sp_mutex will be unlocked incorrectly(since not be locked). Signed-off-by: Zhou Guanghui <zhouguanghui1@huawei.com> Signed-off-by: Tang Yizhou <tangyizhou@huawei.com> Reviewed-by: Ding Tianhong <dingtianhong@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- mm/share_pool.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/mm/share_pool.c b/mm/share_pool.c index 32c3250795e9..2d0e4b6fe4b7 100644 --- a/mm/share_pool.c +++ b/mm/share_pool.c @@ -516,10 +516,15 @@ int sp_group_add_task(int pid, int spg_id) goto out_unlock; spg = find_or_alloc_sp_group(spg_id); - if (IS_ERR(spg) || !spg_valid(spg)) { + if (IS_ERR(spg)) { ret = PTR_ERR(spg); goto out_put_task; } + + if (!spg_valid(spg)) { + ret = -ENODEV; + goto out_put_task; + } atomic_inc(&spg->use_count); /* access control permission check */ @@ -1191,8 +1196,7 @@ void *sp_alloc(unsigned long size, unsigned long sp_flags, int spg_id) if (ret < 0 && (ret != -EEXIST)) { pr_err("share pool: allocation failed due to add group error %d in DVPP pass through scenario", ret); - p = ERR_PTR(ret); - goto out; + return ERR_PTR(ret); } mutex_lock(&sp_mutex); spg = current->mm->sp_group; -- 2.25.1