From: Tang Yizhou <tangyizhou@huawei.com> ascend inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4EUVI CVE: NA ------------------------------------------------- Considering a process get a uva by sp_alloc(), then let multiple processes call sp_free() to release it. Obviously this is a double-free problem and not allowed. The same reason for sp_unshare_uva(). Signed-off-by: Tang Yizhou <tangyizhou@huawei.com> Reviewed-by: Ding Tianhong <dingtianhong@huawei.com> Signed-off-by: Zhou Guanghui <zhouguanghui1@huawei.com> Reviewed-by: Weilong Chen <chenweilong@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- mm/share_pool.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/mm/share_pool.c b/mm/share_pool.c index 3fc5c14ace44b..19580b85d77fb 100644 --- a/mm/share_pool.c +++ b/mm/share_pool.c @@ -1901,6 +1901,13 @@ static int sp_free_get_spa(struct sp_free_context *fc) /* we must return success(0) in this situation */ } /* the life cycle of spa has a direct relation with sp group */ + if (unlikely(spa->is_dead)) { + up_write(&spa->spg->rw_lock); + pr_err_ratelimited("unexpected double sp free\n"); + dump_stack(); + ret = -EINVAL; + goto drop_spa; + } spa->is_dead = true; up_write(&spa->spg->rw_lock); @@ -3236,6 +3243,13 @@ static int sp_unshare_uva(unsigned long uva, unsigned long size) goto out_clr_flag; } /* the life cycle of spa has a direct relation with sp group */ + if (unlikely(spa->is_dead)) { + up_write(&spa->spg->rw_lock); + pr_err_ratelimited("unexpected double sp unshare\n"); + dump_stack(); + ret = -EINVAL; + goto out_drop_area; + } spa->is_dead = true; up_write(&spa->spg->rw_lock); @@ -3264,6 +3278,7 @@ static int sp_unshare_uva(unsigned long uva, unsigned long size) return ret; } +/* No possible concurrent protection, take care when use */ static int sp_unshare_kva(unsigned long kva, unsigned long size) { unsigned long addr, kva_aligned; -- 2.25.1