driver inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/rdma-core/issues/I83L7U
----------------------------------------------------------
Currently, the mapping relationship of reset page between kernel mode and user mode is maintained by driver. If the driver is hot-plugged (e.g. reset), the memory of the reset page is released by kernel driver, but the reset page in user mode still points to this released address which would lead to a UAF.
This patch use the helper rdma_user_mmap_io() to maintain the vma mapping, rather than driver itself, which remmaps the userspace reset page to an safe zero page if driver was hot-plugged.
Fixes: e8b1fec497a0 ("RDMA/hns: Kernel notify usr space to stop ring db") Signed-off-by: Chengchang Tang tangchengchang@huawei.com --- drivers/infiniband/hw/hns/hns_roce_main.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c index 4a16200ab950..2f0a5b2bbc50 100644 --- a/drivers/infiniband/hw/hns/hns_roce_main.c +++ b/drivers/infiniband/hw/hns/hns_roce_main.c @@ -675,10 +675,9 @@ static int hns_roce_mmap(struct ib_ucontext *uctx, struct vm_area_struct *vma) goto out; }
- ret = remap_pfn_range(vma, vma->vm_start, - page_to_pfn(hr_dev->reset_page), - PAGE_SIZE, vma->vm_page_prot); - goto out; + prot = vma->vm_page_prot; + pfn = page_to_pfn(hr_dev->reset_page); + break; default: ret = -EINVAL; goto out;