From: Guo Mengqi guomengqi3@huawei.com
ascend inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4ODJ6 CVE: NA
---------------------------
Remove the unnecessary current->mm NULL check in sp_unshare_uva, and allow process to unshare kernel mapped addresses in do_exit().
Signed-off-by: Guo Mengqi guomengqi3@huawei.com Reviewed-by: Weilong Chen chenweilong@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- mm/share_pool.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/mm/share_pool.c b/mm/share_pool.c index c79ea4bb06026..0ba516e16ef29 100644 --- a/mm/share_pool.c +++ b/mm/share_pool.c @@ -3283,16 +3283,11 @@ EXPORT_SYMBOL_GPL(mg_sp_make_share_u2k); * * Procedure of unshare uva must be compatible with: * - * 1. DVPP channel destroy procedure: - * do_exit() -> exit_mm() (mm no longer in spg and current->mm == NULL) -> - * exit_task_work() -> task_work_run() -> __fput() -> ... -> vdec_close() -> - * sp_unshare(uva, SPG_ID_DEFAULT) - * - * 2. Process A once was the target of k2u(to group), then it exits. + * 1. Process A once was the target of k2u(to group), then it exits. * Guard worker kthread tries to free this uva and it must succeed, otherwise * spa of this uva leaks. * - * This also means we must trust DVPP channel destroy and guard worker code. + * This also means we must trust guard worker code. */ static int sp_unshare_uva(unsigned long uva, unsigned long size) { @@ -3339,7 +3334,11 @@ static int sp_unshare_uva(unsigned long uva, unsigned long size) }
if (spa->type == SPA_TYPE_K2TASK) { - if (!current->mm || spa->applier != current->tgid) { + /* + * Only allow the original k2task applier process to unshare this uva. + * Kthreads or other processes are not allowed to unshare the uva. + */ + if (spa->applier != current->tgid) { pr_err_ratelimited("unshare uva(to task) no permission\n"); ret = -EPERM; goto out_drop_area;