| Message ID | 1582701126-5312-1-git-send-email-zhangfei.gao@linaro.org (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | [v2] uacce: unmap remaining mmapping from user space | expand |
On Wed, Feb 26, 2020 at 03:12:06PM +0800, Zhangfei Gao wrote: > When uacce parent device module is removed, user app may > still keep the mmaped area, which can be accessed unsafely. > When rmmod, Parent device driver will call uacce_remove, > which unmap all remaining mapping from user space for safety. > VM_FAULT_SIGBUS is also reported to user space accordingly. > > Suggested-by: Dave Jiang <dave.jiang@intel.com> > Signed-off-by: Zhangfei Gao <zhangfei.gao@linaro.org> > --- > v2: Unmap before put_queue, where memory is freed, commented from Zaibo. > > drivers/misc/uacce/uacce.c | 16 ++++++++++++++++ > include/linux/uacce.h | 2 ++ > 2 files changed, 18 insertions(+) Patch applied. Thanks.
On 2020/3/6 上午9:51, Herbert Xu wrote: > On Wed, Feb 26, 2020 at 03:12:06PM +0800, Zhangfei Gao wrote: >> When uacce parent device module is removed, user app may >> still keep the mmaped area, which can be accessed unsafely. >> When rmmod, Parent device driver will call uacce_remove, >> which unmap all remaining mapping from user space for safety. >> VM_FAULT_SIGBUS is also reported to user space accordingly. >> >> Suggested-by: Dave Jiang <dave.jiang@intel.com> >> Signed-off-by: Zhangfei Gao <zhangfei.gao@linaro.org> >> --- >> v2: Unmap before put_queue, where memory is freed, commented from Zaibo. >> >> drivers/misc/uacce/uacce.c | 16 ++++++++++++++++ >> include/linux/uacce.h | 2 ++ >> 2 files changed, 18 insertions(+) > Patch applied. Thanks. Thanks Herbert for the help.
diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c index ffced4d..d39307f 100644 --- a/drivers/misc/uacce/uacce.c +++ b/drivers/misc/uacce/uacce.c @@ -224,6 +224,7 @@ static int uacce_fops_open(struct inode *inode, struct file *filep) init_waitqueue_head(&q->wait); filep->private_data = q; + uacce->inode = inode; q->state = UACCE_Q_INIT; return 0; @@ -253,6 +254,14 @@ static int uacce_fops_release(struct inode *inode, struct file *filep) return 0; } +static vm_fault_t uacce_vma_fault(struct vm_fault *vmf) +{ + if (vmf->flags & (FAULT_FLAG_MKWRITE | FAULT_FLAG_WRITE)) + return VM_FAULT_SIGBUS; + + return 0; +} + static void uacce_vma_close(struct vm_area_struct *vma) { struct uacce_queue *q = vma->vm_private_data; @@ -265,6 +274,7 @@ static void uacce_vma_close(struct vm_area_struct *vma) } static const struct vm_operations_struct uacce_vm_ops = { + .fault = uacce_vma_fault, .close = uacce_vma_close, }; @@ -556,6 +566,12 @@ void uacce_remove(struct uacce_device *uacce) if (!uacce) return; + /* + * unmap remaining mapping from user space, preventing user still + * access the mmaped area while parent device is already removed + */ + if (uacce->inode) + unmap_mapping_range(uacce->inode->i_mapping, 0, 0, 1); /* ensure no open queue remains */ mutex_lock(&uacce->mm_lock); diff --git a/include/linux/uacce.h b/include/linux/uacce.h index 904a461..0e215e6 100644 --- a/include/linux/uacce.h +++ b/include/linux/uacce.h @@ -98,6 +98,7 @@ struct uacce_queue { * @priv: private pointer of the uacce * @mm_list: list head of uacce_mm->list * @mm_lock: lock for mm_list + * @inode: core vfs */ struct uacce_device { const char *algs; @@ -113,6 +114,7 @@ struct uacce_device { void *priv; struct list_head mm_list; struct mutex mm_lock; + struct inode *inode; }; /**
When uacce parent device module is removed, user app may still keep the mmaped area, which can be accessed unsafely. When rmmod, Parent device driver will call uacce_remove, which unmap all remaining mapping from user space for safety. VM_FAULT_SIGBUS is also reported to user space accordingly. Suggested-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Zhangfei Gao <zhangfei.gao@linaro.org> --- v2: Unmap before put_queue, where memory is freed, commented from Zaibo. drivers/misc/uacce/uacce.c | 16 ++++++++++++++++ include/linux/uacce.h | 2 ++ 2 files changed, 18 insertions(+)