From nobody Mon Feb 9 16:16:43 2026 Received: from canpmsgout07.his.huawei.com (canpmsgout07.his.huawei.com [113.46.200.222]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F0E8215F4A; Wed, 22 Oct 2025 02:12:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=113.46.200.222 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761099147; cv=none; b=C8o5hZSqKQCQs6gY1bR14r5pErq1hDlfMZJlKpCAVsqAC5RcWLetm64tu4/LL+nQt/NKrcqBz46dEEUFVjRs9kcaaRV3JkUqxyHB693SYOW8uO8f9lMWGMLymRC2/wvUTaeIN2++2E/YdAxo5b5V3B+NiVeDFha1HjieO322fH0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761099147; c=relaxed/simple; bh=FcifkQOS+dBr/vn3OYs1w6Gw9GUuWFoQQyBnMWK9FKE=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=gHaqmZJ9gnzkNqAdGiUPrS5va7CD8QSUfG5mSv9R3Nqo7euyOBDlNNHPToda6r1juP5lLupsjhJNcVNLcEbMvuqvInD2HJNa6i8iN7yPIpcmWxiXlFB01VDYEOXXcgN21r3tf97FUJ57BCuvXq1m0qP+cCcI8jQ+qFl1pRidEmQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b=vLqw44vt; arc=none smtp.client-ip=113.46.200.222 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b="vLqw44vt" dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=Gu7YG9ZKv2zwbOqBSxqywLmciCCExDjuXMYKBAXjCBA=; b=vLqw44vtL6S7SEaf/7sdF+VktCQbldE1a/Ey0dFxgjalvAaDohPfszHc2A/gav+9M6E9SXvXi ehneThyJBN8d5PE2MInVtLT7HccoMd44qV+5xMabWBHlyPPcttOakR5YgRzCQgCDXBmOe89Tnhx YZcI/dzxl4bSrrRpgdR64BY= Received: from mail.maildlp.com (unknown [172.19.163.17]) by canpmsgout07.his.huawei.com (SkyGuard) with ESMTPS id 4crt2j4LWSzLlsB; Wed, 22 Oct 2025 10:11:57 +0800 (CST) Received: from dggemv705-chm.china.huawei.com (unknown [10.3.19.32]) by mail.maildlp.com (Postfix) with ESMTPS id 076D11A0195; Wed, 22 Oct 2025 10:12:22 +0800 (CST) Received: from kwepemq200001.china.huawei.com (7.202.195.16) by dggemv705-chm.china.huawei.com (10.3.19.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Wed, 22 Oct 2025 10:11:53 +0800 Received: from localhost.huawei.com (10.90.31.46) by kwepemq200001.china.huawei.com (7.202.195.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Wed, 22 Oct 2025 10:11:52 +0800 From: Chenghai Huang To: , , CC: , , , , , , Subject: [PATCH v4 4/4] uacce: ensure safe queue release with state management Date: Wed, 22 Oct 2025 10:11:49 +0800 Message-ID: <20251022021149.1771168-5-huangchenghai2@huawei.com> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20251022021149.1771168-1-huangchenghai2@huawei.com> References: <20251022021149.1771168-1-huangchenghai2@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: kwepems500001.china.huawei.com (7.221.188.70) To kwepemq200001.china.huawei.com (7.202.195.16) Content-Type: text/plain; charset="utf-8" Directly calling `put_queue` carries risks since it cannot guarantee that resources of `uacce_queue` have been fully released beforehand. So adding a `stop_queue` operation for the UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to the final resource release ensures safety. Queue states are defined as follows: - UACCE_Q_ZOMBIE: Initial state - UACCE_Q_INIT: After opening `uacce` - UACCE_Q_STARTED: After `start` is issued via `ioctl` When executing `poweroff -f` in virt while accelerator are still working, `uacce_fops_release` and `uacce_remove` may execute concurrently. This can cause `uacce_put_queue` within `uacce_fops_release` to access a NULL `ops` pointer. Therefore, add state checks to prevent accessing freed pointers. Fixes: 015d239ac014 ("uacce: add uacce driver") Cc: stable@vger.kernel.org Signed-off-by: Chenghai Huang Signed-off-by: Yang Shen Acked-by: Zhangfei Gao --- drivers/misc/uacce/uacce.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c index 34fd07b4e7c5..2b35599f1d98 100644 --- a/drivers/misc/uacce/uacce.c +++ b/drivers/misc/uacce/uacce.c @@ -40,20 +40,34 @@ static int uacce_start_queue(struct uacce_queue *q) return 0; } =20 -static int uacce_put_queue(struct uacce_queue *q) +static int uacce_stop_queue(struct uacce_queue *q) { struct uacce_device *uacce =3D q->uacce; =20 - if ((q->state =3D=3D UACCE_Q_STARTED) && uacce->ops->stop_queue) + if (q->state !=3D UACCE_Q_STARTED) + return 0; + + if (uacce->ops->stop_queue) uacce->ops->stop_queue(q); =20 - if ((q->state =3D=3D UACCE_Q_INIT || q->state =3D=3D UACCE_Q_STARTED) && - uacce->ops->put_queue) + q->state =3D UACCE_Q_INIT; + + return 0; +} + +static void uacce_put_queue(struct uacce_queue *q) +{ + struct uacce_device *uacce =3D q->uacce; + + uacce_stop_queue(q); + + if (q->state !=3D UACCE_Q_INIT) + return; + + if (uacce->ops->put_queue) uacce->ops->put_queue(q); =20 q->state =3D UACCE_Q_ZOMBIE; - - return 0; } =20 static long uacce_fops_unl_ioctl(struct file *filep, @@ -80,7 +94,7 @@ static long uacce_fops_unl_ioctl(struct file *filep, ret =3D uacce_start_queue(q); break; case UACCE_CMD_PUT_Q: - ret =3D uacce_put_queue(q); + ret =3D uacce_stop_queue(q); break; default: if (uacce->ops->ioctl) --=20 2.33.0