From nobody Sun Feb 8 05:37:02 2026 Received: from canpmsgout04.his.huawei.com (canpmsgout04.his.huawei.com [113.46.200.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA90D33A01A; Tue, 21 Oct 2025 13:50:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=113.46.200.219 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761054617; cv=none; b=srEizN9A+NAAigMwWn0oy0tCmK8a0nzdIEsKM5clBDYBFueQfjpMANsYzCZ8ukEp7kck59tk5E4JQYA1CebQkVzS9cXVkSz2xm7GARF9KbcQTc7io8F0zkVxLCVuPcOnrU5cNqPRcsSOeO6+jC+4uIgn6Nsuj98lPNxlM32ddJI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761054617; c=relaxed/simple; bh=hWOCC4M64E0HCR/i6BczLCQ0ErSkLekK7uU4+1bkmLY=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=qJU1T3+nxcjI1QsKmYGRge0Oi/QsoM5eMo39+aSlILXfnhBk2pZojh5UrgeCJ4/AS9NLTeY2HZflP6nGNBkbqfjX2OWIzNq+l4lrGB5onpaA5ejlaC/WlMhz6LZFnTjGinB3jHXPr086uMBolmsWfHoE/YUprDHlHsNwxPuPzjM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b=nIXvyfJw; arc=none smtp.client-ip=113.46.200.219 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b="nIXvyfJw" dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=INfemayc9W6N5hQfUFOB1hQsvy36xI//nAITyW85/tg=; b=nIXvyfJw02GH8R1cDzyx8SVSmIptk34q6zANKqwuyXbBIGripLSf/Uz8c8xpcf+AmbJ8e7tDt qXCcsBiIKSay/6lOKXJN/pLOT1tNlnKfqR9yleYWb00GZ6WMCQlq/CDgCMKqUNN+f2GRvk5SXAP rQaAkRllh3eyU10Fhxue+Co= Received: from mail.maildlp.com (unknown [172.19.163.174]) by canpmsgout04.his.huawei.com (SkyGuard) with ESMTPS id 4crYZD3Hjhz1prPw; Tue, 21 Oct 2025 21:49:40 +0800 (CST) Received: from dggemv706-chm.china.huawei.com (unknown [10.3.19.33]) by mail.maildlp.com (Postfix) with ESMTPS id E9378140156; Tue, 21 Oct 2025 21:50:04 +0800 (CST) Received: from kwepemq200001.china.huawei.com (7.202.195.16) by dggemv706-chm.china.huawei.com (10.3.19.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 21 Oct 2025 21:50:04 +0800 Received: from localhost.huawei.com (10.90.31.46) by kwepemq200001.china.huawei.com (7.202.195.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 21 Oct 2025 21:50:04 +0800 From: Chenghai Huang To: , , CC: , , , , , , Subject: [PATCH v3 1/4] uacce: fix for cdev memory leak Date: Tue, 21 Oct 2025 21:50:00 +0800 Message-ID: <20251021135003.786588-2-huangchenghai2@huawei.com> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20251021135003.786588-1-huangchenghai2@huawei.com> References: <20251021135003.786588-1-huangchenghai2@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: kwepems200001.china.huawei.com (7.221.188.67) To kwepemq200001.china.huawei.com (7.202.195.16) Content-Type: text/plain; charset="utf-8" From: Wenkai Lin In uacce_register(), if cdev_device_add() fails, we should properly decrease the reference count of the cdev kobject and set uacce->cdev to NULL to avoid potential use-after-free or double free issues. This change adds proper error handling after cdev_device_add() fails, ensuring that kobject_put() is called and uacce->cdev is cleared. Fixes: 015d239ac014 ("uacce: add uacce driver") Cc: stable@vger.kernel.org Signed-off-by: Wenkai Lin Signed-off-by: Chenghai Huang --- drivers/misc/uacce/uacce.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c index 42e7d2a2a90c..9b82a6731832 100644 --- a/drivers/misc/uacce/uacce.c +++ b/drivers/misc/uacce/uacce.c @@ -519,6 +519,8 @@ EXPORT_SYMBOL_GPL(uacce_alloc); */ int uacce_register(struct uacce_device *uacce) { + int ret; + if (!uacce) return -ENODEV; =20 @@ -529,7 +531,14 @@ int uacce_register(struct uacce_device *uacce) uacce->cdev->ops =3D &uacce_fops; uacce->cdev->owner =3D THIS_MODULE; =20 - return cdev_device_add(uacce->cdev, &uacce->dev); + ret =3D cdev_device_add(uacce->cdev, &uacce->dev); + if (ret) { + kobject_put(&uacce->cdev->kobj); + uacce->cdev =3D NULL; + return ret; + } + + return 0; } EXPORT_SYMBOL_GPL(uacce_register); =20 --=20 2.33.0 From nobody Sun Feb 8 05:37:02 2026 Received: from canpmsgout10.his.huawei.com (canpmsgout10.his.huawei.com [113.46.200.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C66372F5492; Tue, 21 Oct 2025 13:50:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=113.46.200.225 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761054613; cv=none; b=IhpAPEGEd+xGs2dE5OJVbTpeo1IwdCV6II1i/ooghL0WF+kzAQT+0YFtA29+6U9MDCMb91GLelVWzGenIvXGrwhbZ9TjtQ8D9ieaWSLxq/IiM3YoXPHOBB8XYHmaI6iTHyT5nl7VbSSyAWzLRiP+twLbXMVjEYrqeiH+w+bnR6A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761054613; c=relaxed/simple; bh=VaYpFyaLOvGJOgM1vGoEzCAZvxW9y3Xe31bRCCfJa60=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=sSTO+C+8W+IdZk7bIi4t0VgC3bwJ4C191zF2msTuXrdzRJEhMWv34SKmhuF54JxdJhpvQSpNtfKkTJ8L0UhkezMOx2lZeBTbnqXDherT7gm6XvP8j27ereJ6+qoR3T+6tOgVlu4GRRuVd241QSdPgBJHsf9wwDsW446K+6JB0J8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b=nepGEfMD; arc=none smtp.client-ip=113.46.200.225 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b="nepGEfMD" dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=EyniE1B+gWYxyFjKYyOEA4mBgWoHm7pSVUPuBcV8c10=; b=nepGEfMDnGNP37rJD8TamMPrt1J9kAbrgF/GGUEr8Q1muWCntlOZlEwJFWSWOYkqaGApl/SZ5 szg3zG7JSDrwBtelKwYl+bC8O7N8kktg8d4WqjFquSBuDuVKM/1/YA60qCU/pX+fhxb97kFYPxw WDgdP75t7/x0XqkK/kqBUt0= Received: from mail.maildlp.com (unknown [172.19.88.234]) by canpmsgout10.his.huawei.com (SkyGuard) with ESMTPS id 4crYZG0Wzyz1K96c; Tue, 21 Oct 2025 21:49:42 +0800 (CST) Received: from dggemv712-chm.china.huawei.com (unknown [10.1.198.32]) by mail.maildlp.com (Postfix) with ESMTPS id 74C76140259; Tue, 21 Oct 2025 21:50:05 +0800 (CST) Received: from kwepemq200001.china.huawei.com (7.202.195.16) by dggemv712-chm.china.huawei.com (10.1.198.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 21 Oct 2025 21:50:05 +0800 Received: from localhost.huawei.com (10.90.31.46) by kwepemq200001.china.huawei.com (7.202.195.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 21 Oct 2025 21:50:04 +0800 From: Chenghai Huang To: , , CC: , , , , , , Subject: [PATCH v3 2/4] uacce: fix isolate sysfs check condition Date: Tue, 21 Oct 2025 21:50:01 +0800 Message-ID: <20251021135003.786588-3-huangchenghai2@huawei.com> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20251021135003.786588-1-huangchenghai2@huawei.com> References: <20251021135003.786588-1-huangchenghai2@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: kwepems200001.china.huawei.com (7.221.188.67) To kwepemq200001.china.huawei.com (7.202.195.16) Content-Type: text/plain; charset="utf-8" uacce supports the device isolation feature. If the driver implements the isolate_err_threshold_read and isolate_err_threshold_write callback functions, uacce will create sysfs files now. Users can read and configure the isolation policy through sysfs. Currently, sysfs files are created as long as either isolate_err_threshold_read or isolate_err_threshold_write callback functions are present. However, accessing a non-existent callback function may cause the system to crash. Therefore, check whether the function exists before calling isolate_err_threshold_read or isolate_err_threshold_write. Fixes: e3e289fbc0b5 ("uacce: supports device isolation feature") Cc: stable@vger.kernel.org Signed-off-by: Chenghai Huang --- drivers/misc/uacce/uacce.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c index 9b82a6731832..e3433d95640a 100644 --- a/drivers/misc/uacce/uacce.c +++ b/drivers/misc/uacce/uacce.c @@ -382,6 +382,9 @@ static ssize_t isolate_strategy_show(struct device *dev= , struct device_attribute struct uacce_device *uacce =3D to_uacce_device(dev); u32 val; =20 + if (!uacce->ops->isolate_err_threshold_read) + return -ENOENT; + val =3D uacce->ops->isolate_err_threshold_read(uacce); =20 return sysfs_emit(buf, "%u\n", val); @@ -394,6 +397,9 @@ static ssize_t isolate_strategy_store(struct device *de= v, struct device_attribut unsigned long val; int ret; =20 + if (!uacce->ops->isolate_err_threshold_write) + return -ENOENT; + if (kstrtoul(buf, 0, &val) < 0) return -EINVAL; =20 @@ -440,9 +446,7 @@ static umode_t uacce_dev_is_visible(struct kobject *kob= j, (!uacce->qf_pg_num[UACCE_QFRT_DUS]))) return 0; =20 - if (attr =3D=3D &dev_attr_isolate_strategy.attr && - (!uacce->ops->isolate_err_threshold_read && - !uacce->ops->isolate_err_threshold_write)) + if (attr =3D=3D &dev_attr_isolate_strategy.attr) return 0; =20 if (attr =3D=3D &dev_attr_isolate.attr && !uacce->ops->get_isolate_state) --=20 2.33.0 From nobody Sun Feb 8 05:37:03 2026 Received: from canpmsgout11.his.huawei.com (canpmsgout11.his.huawei.com [113.46.200.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C65BD22B8CB; Tue, 21 Oct 2025 13:50:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=113.46.200.226 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761054613; cv=none; b=kkEbwmUCH/T8Nu0r/lPR0quExqFvNKVmXDYRi1hBWXDr8mr/tvOzGTH3xSoV76RdfQsp2vSlp1iWg9fQuSWeCKW3YAGtwdpsxYI19kUg4rI4WAnbTFjoj6/RTfL3FPMDDzlUZqa2AG+WLgvPWFTbwhYUUro3UaGl+X1GhLfFOnc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761054613; c=relaxed/simple; bh=kpmwgAUt/JX9IN+RW7ZW5CdLSXeY9k7z3Cr+RzWrnbk=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Z/oqxUhnaofCcEDhZpoystJ6+bZ91Gi9uwyl0IARN5KE/9QsXgUxdN5CVY8C/5lmJsKUdrA4HXLWzvaa5PWYuDxFDM50OdVjuKSSPocGLfj8g0Pwb2JQGQMBk8T36fjQexMigT4w6vaaPKpTGJmIcZ6fslMMBWJDqvX2LwXUCjU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b=rfXFWHYO; arc=none smtp.client-ip=113.46.200.226 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b="rfXFWHYO" dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=JBTdOkRodgvGwfoSt6YtVfH2mVh3oYR8dryGCsqDCzc=; b=rfXFWHYOKIFsTT7Nuqjip598RNiZaUQUTMZQgNRpSItF8llY1RBHE/JSZkkImM4A60ZrxgxEN egNpotdZUIgNEZQBEcbwnEsEXKeoYnzp3xkyChMQup2pNF7IAqdSY7uozHTXzhCraID3j7BMQIZ QyZZ1Btfu3jTG599wg2+TeA= Received: from mail.maildlp.com (unknown [172.19.163.44]) by canpmsgout11.his.huawei.com (SkyGuard) with ESMTPS id 4crYZF4rrCzKm5G; Tue, 21 Oct 2025 21:49:41 +0800 (CST) Received: from dggemv712-chm.china.huawei.com (unknown [10.1.198.32]) by mail.maildlp.com (Postfix) with ESMTPS id A4F1A140120; Tue, 21 Oct 2025 21:50:05 +0800 (CST) Received: from kwepemq200001.china.huawei.com (7.202.195.16) by dggemv712-chm.china.huawei.com (10.1.198.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 21 Oct 2025 21:50:05 +0800 Received: from localhost.huawei.com (10.90.31.46) by kwepemq200001.china.huawei.com (7.202.195.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 21 Oct 2025 21:50:05 +0800 From: Chenghai Huang To: , , CC: , , , , , , Subject: [PATCH v3 3/4] uacce: implement mremap in uacce_vm_ops to return -EPERM Date: Tue, 21 Oct 2025 21:50:02 +0800 Message-ID: <20251021135003.786588-4-huangchenghai2@huawei.com> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20251021135003.786588-1-huangchenghai2@huawei.com> References: <20251021135003.786588-1-huangchenghai2@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: kwepems200001.china.huawei.com (7.221.188.67) To kwepemq200001.china.huawei.com (7.202.195.16) Content-Type: text/plain; charset="utf-8" From: Yang Shen The current uacce_vm_ops does not support the mremap operation of vm_operations_struct. Implement .mremap to return -EPERM to remind users. The reason we need to explicitly disable mremap is that when the driver does not implement .mremap, it uses the default mremap method. This could lead to a risk scenario: An application might first mmap address p1, then mremap to p2, followed by munmap(p1), and finally munmap(p2). Since the default mremap copies the original vma's vm_private_data (i.e., q) to the new vma, both munmap operations would trigger vma_close, causing q->qfr to be freed twice(qfr will be set to null here, so repeated release is ok). Fixes: 015d239ac014 ("uacce: add uacce driver") Cc: stable@vger.kernel.org Signed-off-by: Yang Shen Signed-off-by: Chenghai Huang --- drivers/misc/uacce/uacce.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c index e3433d95640a..747efb2d36f5 100644 --- a/drivers/misc/uacce/uacce.c +++ b/drivers/misc/uacce/uacce.c @@ -214,8 +214,14 @@ static void uacce_vma_close(struct vm_area_struct *vma) } } =20 +static int uacce_vma_mremap(struct vm_area_struct *area) +{ + return -EPERM; +} + static const struct vm_operations_struct uacce_vm_ops =3D { .close =3D uacce_vma_close, + .mremap =3D uacce_vma_mremap, }; =20 static int uacce_fops_mmap(struct file *filep, struct vm_area_struct *vma) --=20 2.33.0 From nobody Sun Feb 8 05:37:03 2026 Received: from canpmsgout01.his.huawei.com (canpmsgout01.his.huawei.com [113.46.200.216]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AF00533859C; Tue, 21 Oct 2025 13:50:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=113.46.200.216 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761054614; cv=none; b=ry/TL3suwcOpXIgXOnvuFSyXBekvai8BcJnJaLnVDalm22xA6kuDi4qjpCzTPru04kRytOHCKsm4rH1z5WaZPhzYX9sLdXte03F5OdFgBAs2R5u+CUGajYVZN1sPoT8MtKN7f25lmklYv5PLILYoo68c6NtoSNYPqbkYGfQNd5E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761054614; c=relaxed/simple; bh=Qdg9FL6PkOVbcSXk+d4wy2mvqzBXFzljkk593XOfAGo=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Gm1qW0mVtYk6BljZbgh4e9MvfpjtW9PLJWDSAaitaHEqiggWOio9Y60HCYCFW3B4rVvq+qp8CGMZi1cCFRS/9QgwiSAY28hAGUVMkRjF1RhZ3crdqdXewRmutSiNQ0kzTblgLQKXp4Z4iSpMZWABs1QscO3XY4cinZH2kGM78KI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b=Bq2Fj4Ca; arc=none smtp.client-ip=113.46.200.216 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b="Bq2Fj4Ca" dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=Vxmc6tMGMusZQB5aEkehobwbLkJE5tlzu+2w1I3v5kk=; b=Bq2Fj4CaPytKEgyYD/Wya4O+a4QCxuA3ZXtVodQ4MZITM1imSW8lr6GNZ1CZw+7EpIffQVJrb mvoNHi53ecogh30jqRusc0ZWZc05auR67vwp/J90FdeT4ICWj90gZlFGP1mJzCguG+4oacJAjtS EPhRvgIfa9ItEWsV/zIu3QM= Received: from mail.maildlp.com (unknown [172.19.163.252]) by canpmsgout01.his.huawei.com (SkyGuard) with ESMTPS id 4crYYj0rpnz1T4HL; Tue, 21 Oct 2025 21:49:13 +0800 (CST) Received: from dggemv705-chm.china.huawei.com (unknown [10.3.19.32]) by mail.maildlp.com (Postfix) with ESMTPS id 2EF36180B5A; Tue, 21 Oct 2025 21:50:06 +0800 (CST) Received: from kwepemq200001.china.huawei.com (7.202.195.16) by dggemv705-chm.china.huawei.com (10.3.19.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 21 Oct 2025 21:50:05 +0800 Received: from localhost.huawei.com (10.90.31.46) by kwepemq200001.china.huawei.com (7.202.195.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 21 Oct 2025 21:50:05 +0800 From: Chenghai Huang To: , , CC: , , , , , , Subject: [PATCH v3 4/4] uacce: ensure safe queue release with state management Date: Tue, 21 Oct 2025 21:50:03 +0800 Message-ID: <20251021135003.786588-5-huangchenghai2@huawei.com> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20251021135003.786588-1-huangchenghai2@huawei.com> References: <20251021135003.786588-1-huangchenghai2@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: kwepems200001.china.huawei.com (7.221.188.67) To kwepemq200001.china.huawei.com (7.202.195.16) Content-Type: text/plain; charset="utf-8" Directly calling `put_queue` carries risks since it cannot guarantee that resources of `uacce_queue` have been fully released beforehand. So adding a `stop_queue` operation for the UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to the final resource release ensures safety. Queue states are defined as follows: - UACCE_Q_ZOMBIE: Initial state - UACCE_Q_INIT: After opening `uacce` - UACCE_Q_STARTED: After `start` is issued via `ioctl` When executing `poweroff -f` in virt while accelerator are still working, `uacce_fops_release` and `uacce_remove` may execute concurrently. This can cause `uacce_put_queue` within `uacce_fops_release` to access a NULL `ops` pointer. Therefore, add state checks to prevent accessing freed pointers. Fixes: 015d239ac014 ("uacce: add uacce driver") Cc: stable@vger.kernel.org Signed-off-by: Chenghai Huang Signed-off-by: Yang Shen --- drivers/misc/uacce/uacce.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c index 747efb2d36f5..cfebca4c0012 100644 --- a/drivers/misc/uacce/uacce.c +++ b/drivers/misc/uacce/uacce.c @@ -40,20 +40,34 @@ static int uacce_start_queue(struct uacce_queue *q) return 0; } =20 -static int uacce_put_queue(struct uacce_queue *q) +static int uacce_stop_queue(struct uacce_queue *q) { struct uacce_device *uacce =3D q->uacce; =20 - if ((q->state =3D=3D UACCE_Q_STARTED) && uacce->ops->stop_queue) + if (q->state !=3D UACCE_Q_STARTED) + return 0; + + if (uacce->ops->stop_queue) uacce->ops->stop_queue(q); =20 - if ((q->state =3D=3D UACCE_Q_INIT || q->state =3D=3D UACCE_Q_STARTED) && - uacce->ops->put_queue) + q->state =3D UACCE_Q_INIT; + + return 0; +} + +static void uacce_put_queue(struct uacce_queue *q) +{ + struct uacce_device *uacce =3D q->uacce; + + uacce_stop_queue(q); + + if (q->state !=3D UACCE_Q_INIT) + return; + + if (uacce->ops->put_queue) uacce->ops->put_queue(q); =20 q->state =3D UACCE_Q_ZOMBIE; - - return 0; } =20 static long uacce_fops_unl_ioctl(struct file *filep, @@ -80,7 +94,7 @@ static long uacce_fops_unl_ioctl(struct file *filep, ret =3D uacce_start_queue(q); break; case UACCE_CMD_PUT_Q: - ret =3D uacce_put_queue(q); + ret =3D uacce_stop_queue(q); break; default: if (uacce->ops->ioctl) --=20 2.33.0