When uacce parent device module is removed, user app may
still keep the mmaped area, which can be accessed unsafely.
When rmmod, Parent device driver will call uacce_remove,
which unmap all remaining mapping from user space for safety.
VM_FAULT_SIGBUS is also reported to user space accordingly.
Suggested-by: Dave Jiang
Signed-off-by: Zhangfei Gao
---
v2: Unmap before put_queue, where memory is freed, commented from Zaibo.
drivers/misc/uacce/uacce.c | 16
include/linux/uacce.h | 2 ++
2 files changed, 18 insertions(+)
diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c
index ffced4d..d39307f 100644
--- a/drivers/misc/uacce/uacce.c
+++ b/drivers/misc/uacce/uacce.c
@@ -224,6 +224,7 @@ static int uacce_fops_open(struct inode *inode, struct file
*filep)
init_waitqueue_head(>wait);
filep->private_data = q;
+ uacce->inode = inode;
q->state = UACCE_Q_INIT;
return 0;
@@ -253,6 +254,14 @@ static int uacce_fops_release(struct inode *inode, struct
file *filep)
return 0;
}
+static vm_fault_t uacce_vma_fault(struct vm_fault *vmf)
+{
+ if (vmf->flags & (FAULT_FLAG_MKWRITE | FAULT_FLAG_WRITE))
+ return VM_FAULT_SIGBUS;
+
+ return 0;
+}
+
static void uacce_vma_close(struct vm_area_struct *vma)
{
struct uacce_queue *q = vma->vm_private_data;
@@ -265,6 +274,7 @@ static void uacce_vma_close(struct vm_area_struct *vma)
}
static const struct vm_operations_struct uacce_vm_ops = {
+ .fault = uacce_vma_fault,
.close = uacce_vma_close,
};
@@ -556,6 +566,12 @@ void uacce_remove(struct uacce_device *uacce)
if (!uacce)
return;
+ /*
+* unmap remaining mapping from user space, preventing user still
+* access the mmaped area while parent device is already removed
+*/
+ if (uacce->inode)
+ unmap_mapping_range(uacce->inode->i_mapping, 0, 0, 1);
/* ensure no open queue remains */
mutex_lock(>mm_lock);
diff --git a/include/linux/uacce.h b/include/linux/uacce.h
index 904a461..0e215e6 100644
--- a/include/linux/uacce.h
+++ b/include/linux/uacce.h
@@ -98,6 +98,7 @@ struct uacce_queue {
* @priv: private pointer of the uacce
* @mm_list: list head of uacce_mm->list
* @mm_lock: lock for mm_list
+ * @inode: core vfs
*/
struct uacce_device {
const char *algs;
@@ -113,6 +114,7 @@ struct uacce_device {
void *priv;
struct list_head mm_list;
struct mutex mm_lock;
+ struct inode *inode;
};
/**
--
2.7.4
___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
