Commit acc670db authored by Zhangfei Gao's avatar Zhangfei Gao Committed by Herbert Xu

uacce: unmap remaining mmapping from user space

When uacce parent device module is removed, user app may
still keep the mmaped area, which can be accessed unsafely.
When rmmod, Parent device driver will call uacce_remove,
which unmap all remaining mapping from user space for safety.
VM_FAULT_SIGBUS is also reported to user space accordingly.
Suggested-by: default avatarDave Jiang <dave.jiang@intel.com>
Signed-off-by: default avatarZhangfei Gao <zhangfei.gao@linaro.org>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent 732e5409
...@@ -224,6 +224,7 @@ static int uacce_fops_open(struct inode *inode, struct file *filep) ...@@ -224,6 +224,7 @@ static int uacce_fops_open(struct inode *inode, struct file *filep)
init_waitqueue_head(&q->wait); init_waitqueue_head(&q->wait);
filep->private_data = q; filep->private_data = q;
uacce->inode = inode;
q->state = UACCE_Q_INIT; q->state = UACCE_Q_INIT;
return 0; return 0;
...@@ -253,6 +254,14 @@ static int uacce_fops_release(struct inode *inode, struct file *filep) ...@@ -253,6 +254,14 @@ static int uacce_fops_release(struct inode *inode, struct file *filep)
return 0; return 0;
} }
static vm_fault_t uacce_vma_fault(struct vm_fault *vmf)
{
if (vmf->flags & (FAULT_FLAG_MKWRITE | FAULT_FLAG_WRITE))
return VM_FAULT_SIGBUS;
return 0;
}
static void uacce_vma_close(struct vm_area_struct *vma) static void uacce_vma_close(struct vm_area_struct *vma)
{ {
struct uacce_queue *q = vma->vm_private_data; struct uacce_queue *q = vma->vm_private_data;
...@@ -265,6 +274,7 @@ static void uacce_vma_close(struct vm_area_struct *vma) ...@@ -265,6 +274,7 @@ static void uacce_vma_close(struct vm_area_struct *vma)
} }
static const struct vm_operations_struct uacce_vm_ops = { static const struct vm_operations_struct uacce_vm_ops = {
.fault = uacce_vma_fault,
.close = uacce_vma_close, .close = uacce_vma_close,
}; };
...@@ -556,6 +566,12 @@ void uacce_remove(struct uacce_device *uacce) ...@@ -556,6 +566,12 @@ void uacce_remove(struct uacce_device *uacce)
if (!uacce) if (!uacce)
return; return;
/*
* unmap remaining mapping from user space, preventing user still
* access the mmaped area while parent device is already removed
*/
if (uacce->inode)
unmap_mapping_range(uacce->inode->i_mapping, 0, 0, 1);
/* ensure no open queue remains */ /* ensure no open queue remains */
mutex_lock(&uacce->mm_lock); mutex_lock(&uacce->mm_lock);
......
...@@ -98,6 +98,7 @@ struct uacce_queue { ...@@ -98,6 +98,7 @@ struct uacce_queue {
* @priv: private pointer of the uacce * @priv: private pointer of the uacce
* @mm_list: list head of uacce_mm->list * @mm_list: list head of uacce_mm->list
* @mm_lock: lock for mm_list * @mm_lock: lock for mm_list
* @inode: core vfs
*/ */
struct uacce_device { struct uacce_device {
const char *algs; const char *algs;
...@@ -113,6 +114,7 @@ struct uacce_device { ...@@ -113,6 +114,7 @@ struct uacce_device {
void *priv; void *priv;
struct list_head mm_list; struct list_head mm_list;
struct mutex mm_lock; struct mutex mm_lock;
struct inode *inode;
}; };
/** /**
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment