From: Zhou Guanghui zhouguanghui1@huawei.com
ascend inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4EUVI CVE: NA
-------------------------------------------------
1. sp_group_add_task: when spg invalid, low 32bits of pointer spg will be returned. This will be considered a correct spg id.
2.sp_alloc: The error branch goto out, then sp_mutex will be unlocked incorrectly(since not be locked).
Signed-off-by: Zhou Guanghui zhouguanghui1@huawei.com Signed-off-by: Tang Yizhou tangyizhou@huawei.com Reviewed-by: Ding Tianhong dingtianhong@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com Reviewed-by: Weilong Chen chenweilong@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- mm/share_pool.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/mm/share_pool.c b/mm/share_pool.c index 4b9d1e28c9227..10967dcb7df9e 100644 --- a/mm/share_pool.c +++ b/mm/share_pool.c @@ -516,10 +516,15 @@ int sp_group_add_task(int pid, int spg_id) goto out_unlock;
spg = find_or_alloc_sp_group(spg_id); - if (IS_ERR(spg) || !spg_valid(spg)) { + if (IS_ERR(spg)) { ret = PTR_ERR(spg); goto out_put_task; } + + if (!spg_valid(spg)) { + ret = -ENODEV; + goto out_put_task; + } atomic_inc(&spg->use_count);
/* access control permission check */ @@ -1191,8 +1196,7 @@ void *sp_alloc(unsigned long size, unsigned long sp_flags, int spg_id) if (ret < 0 && (ret != -EEXIST)) { pr_err("share pool: allocation failed due to add group error %d in DVPP pass through scenario", ret); - p = ERR_PTR(ret); - goto out; + return ERR_PTR(ret); } mutex_lock(&sp_mutex); spg = current->mm->sp_group;