From: Weili Qian qianweili@huawei.com
driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB9H0P CVE: NA
----------------------------------------------------------------------
When qfr type is UACCE_QFRT_SS, qfr may be noiommu_ss_default_qfr. The memory is global static memory and cannot be freed. Therefore, the qfr address needs to be checked before the qfr is released.
Fixes: c0b0e89513ec ("uacce: support UACCE_MODE_NOIOMMU mode") Signed-off-by: Weili Qian qianweili@huawei.com Signed-off-by: JiangShui Yang yangjiangshui@h-partners.com --- drivers/misc/uacce/uacce.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c index 6202a4e2c60f..34ba926c1d56 100644 --- a/drivers/misc/uacce/uacce.c +++ b/drivers/misc/uacce/uacce.c @@ -360,16 +360,13 @@ static void uacce_vma_close(struct vm_area_struct *vma) struct uacce_queue *q = vma->vm_private_data; struct uacce_qfile_region *qfr = NULL; struct uacce_device *uacce = q->uacce; - struct device *dev = &q->uacce->dev;
if (vma->vm_pgoff >= UACCE_MAX_REGION) return;
qfr = q->qfrs[vma->vm_pgoff]; - if (!qfr) { - dev_err(dev, "qfr NULL, type %lu!\n", vma->vm_pgoff); + if (!qfr) return; - }
if (qfr->type == UACCE_QFRT_SS && atomic_read(¤t->active_mm->mm_users) > 0) { @@ -383,7 +380,8 @@ static void uacce_vma_close(struct vm_area_struct *vma) uacce_free_dma_buffers(q); q->qfrs[vma->vm_pgoff] = NULL; mutex_unlock(&uacce->mutex); - kfree(qfr); + if (qfr != &noiommu_ss_default_qfr) + kfree(qfr); } else if (qfr->type != UACCE_QFRT_SS) { mutex_lock(&q->mutex); q->qfrs[vma->vm_pgoff] = NULL;