[PATCH OLK-6.6 0/2] uacce: removal of the Shared Memory Feature for Queues
Longfang Liu (1): uacce: removal of the Shared Memory Feature for Queues Zhushuai Yin (1): crypto: hisilicon/qm - check whether the input parameters and device PF match drivers/crypto/hisilicon/qm.c | 4 +++ drivers/misc/uacce/uacce.c | 60 ++------------------------------- include/uapi/misc/uacce/uacce.h | 3 -- 3 files changed, 7 insertions(+), 60 deletions(-) -- 2.33.0
From: Longfang Liu <liulongfang@huawei.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICFGRF CVE: NA ---------------------------------------------------------------------- In UACCE and UADK, the handling of kernel-reserved memory for No-SVA mode has been simplified by consolidating memory allocation requests across multiple queues to reduce overhead. However, this approach introduces memory lifecycle management issues: when the primary queue completes its operations and releases resources, the shared memory is destroyed. Other queues relying on this memory are unaware of this change, leading to Use-After-Free (UAF) errors when they attempt to access the now-freed memory. Fixes: c0b0e89513ec ("uacce: support UACCE_MODE_NOIOMMU mode") Signed-off-by: Longfang Liu <liulongfang@huawei.com> Signed-off-by: JiangShui Yang <yangjiangshui@h-partners.com> --- drivers/misc/uacce/uacce.c | 60 ++------------------------------- include/uapi/misc/uacce/uacce.h | 3 -- 2 files changed, 3 insertions(+), 60 deletions(-) diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c index 19a0fdfac47b..04f2658712da 100644 --- a/drivers/misc/uacce/uacce.c +++ b/drivers/misc/uacce/uacce.c @@ -17,10 +17,6 @@ static const struct class uacce_class = { .name = UACCE_NAME, }; -static struct uacce_qfile_region noiommu_ss_default_qfr = { - .type = UACCE_QFRT_SS, -}; - /* * If the parent driver or the device disappears, the queue state is invalid and * ops are not usable anymore. @@ -69,52 +65,6 @@ static void uacce_put_queue(struct uacce_queue *q) uacce->ops->put_queue(q); } -static long uacce_cmd_share_qfr(struct uacce_queue *src, int fd) -{ - struct device *dev = &src->uacce->dev; - struct file *filep = fget(fd); - struct uacce_queue *tgt; - int ret = -EINVAL; - - if (!filep) { - dev_err(dev, "filep is NULL!\n"); - return ret; - } - - if (filep->f_op != &uacce_fops) { - dev_err(dev, "file ops mismatch!\n"); - goto out_with_fd; - } - - tgt = filep->private_data; - if (!tgt) { - dev_err(dev, "target queue is not exist!\n"); - goto out_with_fd; - } - - mutex_lock(&src->mutex); - if (tgt->state == UACCE_Q_ZOMBIE || src->state == UACCE_Q_ZOMBIE) { - dev_err(dev, "target or source queue is zombie!\n"); - goto out_with_fd; - } - - if (!src->qfrs[UACCE_QFRT_SS] || tgt->qfrs[UACCE_QFRT_SS]) { - dev_err(dev, "src q's SS not exists or target q's SS exists!\n"); - goto out_with_fd; - } - - /* In No-IOMMU mode, taget queue uses default SS qfr */ - tgt->qfrs[UACCE_QFRT_SS] = &noiommu_ss_default_qfr; - - ret = 0; - -out_with_fd: - mutex_unlock(&src->mutex); - fput(filep); - - return ret; -} - static long uacce_get_ss_dma(struct uacce_queue *q, void __user *arg) { struct uacce_device *uacce = q->uacce; @@ -232,9 +182,6 @@ static long uacce_fops_unl_ioctl(struct file *filep, case UACCE_CMD_PUT_Q: ret = uacce_stop_queue(q); break; - case UACCE_CMD_SHARE_SVAS: - ret = uacce_cmd_share_qfr(q, (int)arg); - break; case UACCE_CMD_GET_SS_DMA: ret = uacce_get_ss_dma(q, (void __user *)(uintptr_t)arg); break; @@ -352,7 +299,7 @@ static int uacce_fops_release(struct inode *inode, struct file *filep) uacce_put_queue(q); uacce_unbind_queue(q); ss = q->qfrs[UACCE_QFRT_SS]; - if (ss && ss != &noiommu_ss_default_qfr) { + if (ss) { uacce_free_dma_buffers(q); kfree(ss); } @@ -392,8 +339,7 @@ static void uacce_vma_close(struct vm_area_struct *vma) q->qfrs[vma->vm_pgoff] = NULL; mutex_unlock(&q->mutex); mutex_unlock(&uacce->mutex); - if (qfr != &noiommu_ss_default_qfr) - kfree(qfr); + kfree(qfr); } else if (vma->vm_pgoff != UACCE_QFRT_SS) { mutex_lock(&q->mutex); qfr = q->qfrs[vma->vm_pgoff]; @@ -1063,7 +1009,7 @@ void uacce_remove(struct uacce_device *uacce) * access the mmaped area while parent device is already removed */ unmap_mapping_range(q->mapping, 0, 0, 1); - if (ss && ss != &noiommu_ss_default_qfr) + if (ss) uacce_free_dma_buffers(q); } diff --git a/include/uapi/misc/uacce/uacce.h b/include/uapi/misc/uacce/uacce.h index 788c6ec6f095..4981554f4e4b 100644 --- a/include/uapi/misc/uacce/uacce.h +++ b/include/uapi/misc/uacce/uacce.h @@ -19,11 +19,8 @@ */ #define UACCE_CMD_PUT_Q _IO('W', 1) -#define UACCE_CMD_SHARE_SVAS _IO('W', 2) - #define UACCE_CMD_GET_SS_DMA _IOR('W', 3, unsigned long) - /** * UACCE Device Attributes: * -- 2.33.0
From: Zhushuai Yin <yinzhushuai@huawei.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICFGRF CVE: NA ---------------------------------------------------------------------- The input parameter may not be a resource under the PF of this device and needs to be intercepted as illegal. Fixes: 488f30d4b8b3 ("crypto: hisilicon/qm - some optimizations of ths qos write process") Signed-off-by: Zhushuai Yin <yinzhushuai@huawei.com> Signed-off-by: JiangShui Yang <yangjiangshui@h-partners.com> --- drivers/crypto/hisilicon/qm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c index 60a7aa888ef3..75287085a6b6 100644 --- a/drivers/crypto/hisilicon/qm.c +++ b/drivers/crypto/hisilicon/qm.c @@ -4022,6 +4022,10 @@ static ssize_t qm_get_qos_value(struct hisi_qm *qm, const char *buf, } pdev = container_of(dev, struct pci_dev, dev); + if (pci_physfn(pdev) != qm->pdev) { + pci_err(qm->pdev, "the pdev input does not match the pf!\n"); + return -EINVAL; + } *fun_index = pdev->devfn; -- 2.33.0
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/16730 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/2QM... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/16730 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/2QM...
participants (2)
-
patchwork bot -
Weili Qian