From nobody Mon Feb 9 14:33:04 2026 Received: from canpmsgout01.his.huawei.com (canpmsgout01.his.huawei.com [113.46.200.216]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AF00533859C; Tue, 21 Oct 2025 13:50:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=113.46.200.216 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761054614; cv=none; b=ry/TL3suwcOpXIgXOnvuFSyXBekvai8BcJnJaLnVDalm22xA6kuDi4qjpCzTPru04kRytOHCKsm4rH1z5WaZPhzYX9sLdXte03F5OdFgBAs2R5u+CUGajYVZN1sPoT8MtKN7f25lmklYv5PLILYoo68c6NtoSNYPqbkYGfQNd5E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761054614; c=relaxed/simple; bh=Qdg9FL6PkOVbcSXk+d4wy2mvqzBXFzljkk593XOfAGo=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Gm1qW0mVtYk6BljZbgh4e9MvfpjtW9PLJWDSAaitaHEqiggWOio9Y60HCYCFW3B4rVvq+qp8CGMZi1cCFRS/9QgwiSAY28hAGUVMkRjF1RhZ3crdqdXewRmutSiNQ0kzTblgLQKXp4Z4iSpMZWABs1QscO3XY4cinZH2kGM78KI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b=Bq2Fj4Ca; arc=none smtp.client-ip=113.46.200.216 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b="Bq2Fj4Ca" dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=Vxmc6tMGMusZQB5aEkehobwbLkJE5tlzu+2w1I3v5kk=; b=Bq2Fj4CaPytKEgyYD/Wya4O+a4QCxuA3ZXtVodQ4MZITM1imSW8lr6GNZ1CZw+7EpIffQVJrb mvoNHi53ecogh30jqRusc0ZWZc05auR67vwp/J90FdeT4ICWj90gZlFGP1mJzCguG+4oacJAjtS EPhRvgIfa9ItEWsV/zIu3QM= Received: from mail.maildlp.com (unknown [172.19.163.252]) by canpmsgout01.his.huawei.com (SkyGuard) with ESMTPS id 4crYYj0rpnz1T4HL; Tue, 21 Oct 2025 21:49:13 +0800 (CST) Received: from dggemv705-chm.china.huawei.com (unknown [10.3.19.32]) by mail.maildlp.com (Postfix) with ESMTPS id 2EF36180B5A; Tue, 21 Oct 2025 21:50:06 +0800 (CST) Received: from kwepemq200001.china.huawei.com (7.202.195.16) by dggemv705-chm.china.huawei.com (10.3.19.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 21 Oct 2025 21:50:05 +0800 Received: from localhost.huawei.com (10.90.31.46) by kwepemq200001.china.huawei.com (7.202.195.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 21 Oct 2025 21:50:05 +0800 From: Chenghai Huang To: , , CC: , , , , , , Subject: [PATCH v3 4/4] uacce: ensure safe queue release with state management Date: Tue, 21 Oct 2025 21:50:03 +0800 Message-ID: <20251021135003.786588-5-huangchenghai2@huawei.com> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20251021135003.786588-1-huangchenghai2@huawei.com> References: <20251021135003.786588-1-huangchenghai2@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: kwepems200001.china.huawei.com (7.221.188.67) To kwepemq200001.china.huawei.com (7.202.195.16) Content-Type: text/plain; charset="utf-8" Directly calling `put_queue` carries risks since it cannot guarantee that resources of `uacce_queue` have been fully released beforehand. So adding a `stop_queue` operation for the UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to the final resource release ensures safety. Queue states are defined as follows: - UACCE_Q_ZOMBIE: Initial state - UACCE_Q_INIT: After opening `uacce` - UACCE_Q_STARTED: After `start` is issued via `ioctl` When executing `poweroff -f` in virt while accelerator are still working, `uacce_fops_release` and `uacce_remove` may execute concurrently. This can cause `uacce_put_queue` within `uacce_fops_release` to access a NULL `ops` pointer. Therefore, add state checks to prevent accessing freed pointers. Fixes: 015d239ac014 ("uacce: add uacce driver") Cc: stable@vger.kernel.org Signed-off-by: Chenghai Huang Signed-off-by: Yang Shen --- drivers/misc/uacce/uacce.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c index 747efb2d36f5..cfebca4c0012 100644 --- a/drivers/misc/uacce/uacce.c +++ b/drivers/misc/uacce/uacce.c @@ -40,20 +40,34 @@ static int uacce_start_queue(struct uacce_queue *q) return 0; } =20 -static int uacce_put_queue(struct uacce_queue *q) +static int uacce_stop_queue(struct uacce_queue *q) { struct uacce_device *uacce =3D q->uacce; =20 - if ((q->state =3D=3D UACCE_Q_STARTED) && uacce->ops->stop_queue) + if (q->state !=3D UACCE_Q_STARTED) + return 0; + + if (uacce->ops->stop_queue) uacce->ops->stop_queue(q); =20 - if ((q->state =3D=3D UACCE_Q_INIT || q->state =3D=3D UACCE_Q_STARTED) && - uacce->ops->put_queue) + q->state =3D UACCE_Q_INIT; + + return 0; +} + +static void uacce_put_queue(struct uacce_queue *q) +{ + struct uacce_device *uacce =3D q->uacce; + + uacce_stop_queue(q); + + if (q->state !=3D UACCE_Q_INIT) + return; + + if (uacce->ops->put_queue) uacce->ops->put_queue(q); =20 q->state =3D UACCE_Q_ZOMBIE; - - return 0; } =20 static long uacce_fops_unl_ioctl(struct file *filep, @@ -80,7 +94,7 @@ static long uacce_fops_unl_ioctl(struct file *filep, ret =3D uacce_start_queue(q); break; case UACCE_CMD_PUT_Q: - ret =3D uacce_put_queue(q); + ret =3D uacce_stop_queue(q); break; default: if (uacce->ops->ioctl) --=20 2.33.0