From: Tang Yizhou tangyizhou@huawei.com
ascend inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4EUVI CVE: NA
-------------------------------------------------
Considering a process get a uva by sp_alloc(), then let multiple processes call sp_free() to release it. Obviously this is a double-free problem and not allowed.
The same reason for sp_unshare_uva().
Signed-off-by: Tang Yizhou tangyizhou@huawei.com Reviewed-by: Ding Tianhong dingtianhong@huawei.com Signed-off-by: Zhou Guanghui zhouguanghui1@huawei.com Reviewed-by: Weilong Chen chenweilong@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- mm/share_pool.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+)
diff --git a/mm/share_pool.c b/mm/share_pool.c index 3fc5c14ace44b..19580b85d77fb 100644 --- a/mm/share_pool.c +++ b/mm/share_pool.c @@ -1901,6 +1901,13 @@ static int sp_free_get_spa(struct sp_free_context *fc) /* we must return success(0) in this situation */ } /* the life cycle of spa has a direct relation with sp group */ + if (unlikely(spa->is_dead)) { + up_write(&spa->spg->rw_lock); + pr_err_ratelimited("unexpected double sp free\n"); + dump_stack(); + ret = -EINVAL; + goto drop_spa; + } spa->is_dead = true; up_write(&spa->spg->rw_lock);
@@ -3236,6 +3243,13 @@ static int sp_unshare_uva(unsigned long uva, unsigned long size) goto out_clr_flag; } /* the life cycle of spa has a direct relation with sp group */ + if (unlikely(spa->is_dead)) { + up_write(&spa->spg->rw_lock); + pr_err_ratelimited("unexpected double sp unshare\n"); + dump_stack(); + ret = -EINVAL; + goto out_drop_area; + } spa->is_dead = true; up_write(&spa->spg->rw_lock);
@@ -3264,6 +3278,7 @@ static int sp_unshare_uva(unsigned long uva, unsigned long size) return ret; }
+/* No possible concurrent protection, take care when use */ static int sp_unshare_kva(unsigned long kva, unsigned long size) { unsigned long addr, kva_aligned;