Commit 2342a7d2 authored by Weili Qian's avatar Weili Qian Committed by JangShui Yang
Browse files

uacce: check the qfr address before releasing the qfr 

driver inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IB9H0P


CVE: NA

----------------------------------------------------------------------

When qfr type is UACCE_QFRT_SS, qfr may be noiommu_ss_default_qfr.
The memory is global static memory and cannot be freed. Therefore,
the qfr address needs to be checked before the qfr is released.

Fixes: c0b0e895 ("uacce: support UACCE_MODE_NOIOMMU mode")
Signed-off-by: default avatarWeili Qian <qianweili@huawei.com>
Signed-off-by: default avatarJiangShui Yang <yangjiangshui@h-partners.com>
parent 87492590

drivers/misc/uacce/uacce.c

+3 −5
Original line number Diff line number Diff line
@@ -360,16 +360,13 @@ static void uacce_vma_close(struct vm_area_struct *vma) 
	struct uacce_queue *q = vma->vm_private_data;

	struct uacce_qfile_region *qfr = NULL;

	struct uacce_device *uacce = q->uacce;

	struct device *dev = &q->uacce->dev;



	if (vma->vm_pgoff >= UACCE_MAX_REGION)

		return;



	qfr = q->qfrs[vma->vm_pgoff];

	if (!qfr) {

		dev_err(dev, "qfr NULL, type %lu!\n", vma->vm_pgoff);

	if (!qfr)

		return;

	}



	if (qfr->type == UACCE_QFRT_SS &&

	    atomic_read(&current->active_mm->mm_users) > 0) {
@@ -383,6 +380,7 @@ static void uacce_vma_close(struct vm_area_struct *vma) 
		uacce_free_dma_buffers(q);

		q->qfrs[vma->vm_pgoff] = NULL;

		mutex_unlock(&uacce->mutex);

		if (qfr != &noiommu_ss_default_qfr)

			kfree(qfr);

	} else if (qfr->type != UACCE_QFRT_SS) {

		mutex_lock(&q->mutex);