From nobody Wed Dec 17 09:27:57 2025
Received: from canpmsgout12.his.huawei.com (canpmsgout12.his.huawei.com
 [113.46.200.227])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 277C82FFFA3;
	Tue,  2 Dec 2025 06:13:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=113.46.200.227
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764655990; cv=none;
 b=eb8YdzgsfGAUdmriy3mXow5Vh+Hjqd2hDl1yLXoAUXt24A6BWXww8OddgDalEX0JslA+fwcp+RMl8195ddKb+SU4WPBAWSSbeCQb5dgOgujgzk1LCjdXlFaXDcc8dyHXFZHCZfbdgF+drho2IK+t/aH8y2G2kTq3BYPzxLaL5Ec=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764655990; c=relaxed/simple;
	bh=pua1amQvV9fCow0RBdrdv99qmahXdFL4paOWtrQkMFs=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=h65XAnday8mYtjyKcImyOJUvbhAAXFhLuvGOcQYXYAz6AjSaoGi51ur/b6j5Gd18DKHg0Fy//8c2qWyY6tyxpUJqlLwVxxg485ffRfsEXhvYTFfMcTUIFW9hdeD44vKFyGEV7ZEyMeGaEkbwVeh2SF1wveNofmL3vvI49MCcog0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=huawei.com;
 spf=pass smtp.mailfrom=huawei.com;
 dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com
 header.b=NtvX5/gt; arc=none smtp.client-ip=113.46.200.227
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=huawei.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=huawei.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com
 header.b="NtvX5/gt"
dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim;
	c=relaxed/relaxed; q=dns/txt;
	h=From;
	bh=jhA8g0wHjWM0boaunGsWLeE7SRcYqrx99SvDaAeBx+0=;
	b=NtvX5/gtfa/vLlxGaBC6VmEvYl3r8wjwIkX5ZdjIn6hIKpjKr1Zv1L6kgN1aJzmDxIk30dGsr
	f9TjdXv1aZqxyo1R2c0IlV4ipQp2MbcYgDSV9jGaLHR1Xv4gHyNjMF0TJxJDAtPDVDsUqJwFqgW
	HvxIYaJnL6EohLHiTOxBcQc=
Received: from mail.maildlp.com (unknown [172.19.88.214])
	by canpmsgout12.his.huawei.com (SkyGuard) with ESMTPS id 4dL9P93ZQNznTXp;
	Tue,  2 Dec 2025 14:10:37 +0800 (CST)
Received: from dggemv705-chm.china.huawei.com (unknown [10.3.19.32])
	by mail.maildlp.com (Postfix) with ESMTPS id A23BF1A016C;
	Tue,  2 Dec 2025 14:12:59 +0800 (CST)
Received: from kwepemq200001.china.huawei.com (7.202.195.16) by
 dggemv705-chm.china.huawei.com (10.3.19.32) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1544.11; Tue, 2 Dec 2025 14:12:59 +0800
Received: from localhost.huawei.com (10.90.31.46) by
 kwepemq200001.china.huawei.com (7.202.195.16) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1544.11; Tue, 2 Dec 2025 14:12:59 +0800
From: Chenghai Huang <huangchenghai2@huawei.com>
To: <gregkh@linuxfoundation.org>, <zhangfei.gao@linaro.org>,
	<wangzhou1@hisilicon.com>
CC: <linux-kernel@vger.kernel.org>, <linux-crypto@vger.kernel.org>,
	<fanghao11@huawei.com>, <shenyang39@huawei.com>, <liulongfang@huawei.com>,
	<qianweili@huawei.com>, <linwenkai6@hisilicon.com>
Subject: [PATCH v6 4/4] uacce: ensure safe queue release with state management
Date: Tue, 2 Dec 2025 14:12:56 +0800
Message-ID: <20251202061256.4158641-5-huangchenghai2@huawei.com>
X-Mailer: git-send-email 2.33.0
In-Reply-To: <20251202061256.4158641-1-huangchenghai2@huawei.com>
References: <20251202061256.4158641-1-huangchenghai2@huawei.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: kwepems500002.china.huawei.com (7.221.188.17) To
 kwepemq200001.china.huawei.com (7.202.195.16)
Content-Type: text/plain; charset="utf-8"

Directly calling `put_queue` carries risks since it cannot
guarantee that resources of `uacce_queue` have been fully released
beforehand. So adding a `stop_queue` operation for the
UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to
the final resource release ensures safety.

Queue states are defined as follows:
- UACCE_Q_ZOMBIE: Initial state
- UACCE_Q_INIT: After opening `uacce`
- UACCE_Q_STARTED: After `start` is issued via `ioctl`

When executing `poweroff -f` in virt while accelerator are still
working, `uacce_fops_release` and `uacce_remove` may execute
concurrently. This can cause `uacce_put_queue` within
`uacce_fops_release` to access a NULL `ops` pointer. Therefore, add
state checks to prevent accessing freed pointers.

Fixes: 015d239ac014 ("uacce: add uacce driver")
Cc: stable@vger.kernel.org
Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
Signed-off-by: Yang Shen <shenyang39@huawei.com>
Acked-by: Zhangfei Gao <zhangfei.gao@linaro.org>
---
 drivers/misc/uacce/uacce.c | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c
index c061c6fa1c5e..6d71355528d3 100644
--- a/drivers/misc/uacce/uacce.c
+++ b/drivers/misc/uacce/uacce.c
@@ -40,20 +40,34 @@ static int uacce_start_queue(struct uacce_queue *q)
 	return 0;
 }
=20
-static int uacce_put_queue(struct uacce_queue *q)
+static int uacce_stop_queue(struct uacce_queue *q)
 {
 	struct uacce_device *uacce =3D q->uacce;
=20
-	if ((q->state =3D=3D UACCE_Q_STARTED) && uacce->ops->stop_queue)
+	if (q->state !=3D UACCE_Q_STARTED)
+		return 0;
+
+	if (uacce->ops->stop_queue)
 		uacce->ops->stop_queue(q);
=20
-	if ((q->state =3D=3D UACCE_Q_INIT || q->state =3D=3D UACCE_Q_STARTED) &&
-	     uacce->ops->put_queue)
+	q->state =3D UACCE_Q_INIT;
+
+	return 0;
+}
+
+static void uacce_put_queue(struct uacce_queue *q)
+{
+	struct uacce_device *uacce =3D q->uacce;
+
+	uacce_stop_queue(q);
+
+	if (q->state !=3D UACCE_Q_INIT)
+		return;
+
+	if (uacce->ops->put_queue)
 		uacce->ops->put_queue(q);
=20
 	q->state =3D UACCE_Q_ZOMBIE;
-
-	return 0;
 }
=20
 static long uacce_fops_unl_ioctl(struct file *filep,
@@ -80,7 +94,7 @@ static long uacce_fops_unl_ioctl(struct file *filep,
 		ret =3D uacce_start_queue(q);
 		break;
 	case UACCE_CMD_PUT_Q:
-		ret =3D uacce_put_queue(q);
+		ret =3D uacce_stop_queue(q);
 		break;
 	default:
 		if (uacce->ops->ioctl)
--=20
2.33.0