Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp1216208iog; Thu, 16 Jun 2022 01:16:29 -0700 (PDT) X-Google-Smtp-Source: AGRyM1sHrc1fujnxJYULQqipguuT+FSMCgM0t5TyzAby3e5xZiNr0/ZPBGUfmQY1SgywfoxOoagP X-Received: by 2002:a17:906:3693:b0:718:4125:f08d with SMTP id a19-20020a170906369300b007184125f08dmr3300875ejc.146.1655367389567; Thu, 16 Jun 2022 01:16:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655367389; cv=none; d=google.com; s=arc-20160816; b=KLCku26QBJDDs66mni9qT0aQN9+FwcV952tPPRmm6r0lMY6SQtAyif8aKieSG32uj9 bf0osb3GEekuuMZPdFqKOqZMOevDRKXDwzw8h7N8sQazUW7NSRNaztNc0B+OhvDe4VHB X7Uzrqg81OusMGLLc6YsyEqD/nZGTEFcO/vx1F6uwJq4+hjROuY4dEFmeMJAg9v5KM8m Q6wmBoazJ3wQg4ZqJezFJBzN6VKw/ttGyncSF7pUH9fPJCUn1GMZVPhB1jqxN3SBPHAJ 3Ps1R1U3q/g5CjvqdjH3eieN8cSv13jhPkQ3SwS8/VxODn4ZAI6oKDc1eX8vLE3LfZWu Xjtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=NTbh4MI+QCwbcpkgIpo7198UESJ/mO1+VW3Q06LAB7c=; b=Pgovos1rkWg2Lg2V5z8g7kWzRsj9YIdf58Ccdyl8wNIb6kkgzYPxOKQ+BKURWNKvy0 P7qfIkA6xOv3yKTlPmIZov9GBKnRufYKLlVU5hhDBbPTUZ2XK8E9AHpnjVJ576dTzIBN j+HgagFig8Yht0gBpE17zAsonbfm0yZOzoHQE8EWnUN8oH1fesZhxqyutZzOcEfC3OSo Lh+TUuEzhsZoWEMNAloPz8a8iV2sVMf2jr6WQ2YFF3W2hZVk4IbqZ8da5ci2cDLZMivE cj7QEigXmz26d/is8pHQsupa437faIl7Zf8P4hUzXiScPzMDTPbhP1qeTdnWTGOcsvS+ KH2g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=jaqw6FnW; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i21-20020a1709067a5500b00707e87fe126si1000369ejo.99.2022.06.16.01.15.52; Thu, 16 Jun 2022 01:16:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=jaqw6FnW; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231482AbiFPIPL (ORCPT + 99 others); Thu, 16 Jun 2022 04:15:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34644 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230045AbiFPIPK (ORCPT ); Thu, 16 Jun 2022 04:15:10 -0400 Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7B7E95D64D for ; Thu, 16 Jun 2022 01:15:09 -0700 (PDT) Received: by mail-ed1-x52b.google.com with SMTP id w27so1092186edl.7 for ; Thu, 16 Jun 2022 01:15:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=NTbh4MI+QCwbcpkgIpo7198UESJ/mO1+VW3Q06LAB7c=; b=jaqw6FnWxB/5UThR+ZDWPxP3LWg0yS0YKOWgNceuoysE3QYfS+oCxZDmNCa3RDthiA nkA25n9Yi8JFYV85REMoUBn+G4y6pDSV2DxU42hO4xQRb7+rgdKay4JL4s8VmPBn1nC2 yF85m7F7VZaH+V+s+cRL0dGTy2NlNoYtbSfZ1CPjfZrocAUyoNrf37+MCeIEcVKY9Mdz 1i9VibVT2e/BJ4fdVSxoKa4OFM3U6ip5yjEZWjhIfkQsGUiBh6VjTAV2L2vDPEt837o3 6rPCfBieZXhr+OtkAuMNYQbYzuIY8e5Vdeqa07pg+PV/0s2Uo8oR92+b05AsASWc2IXa l2+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=NTbh4MI+QCwbcpkgIpo7198UESJ/mO1+VW3Q06LAB7c=; b=in9yq2VswTvW2/LtwtM54lkLv+G0kafVqdl4tDMnE6O7SSs1/Sw6w3nOO4dqgW1Eb+ BzGbq6ZuwkKZOAgCQB4SH/zQlrjMsMqDPdVTcs1Z14BTYx6TrvZVnNXlg3NZA0OJahwQ DqV+SOvWjbXE/DjUxTdcd8THlArR9Rm71Ix6S/WFCZUL0tlRvwebe3NgPPaUGB7T3PUX GbLwmJ5KFccIgpE6n2wxADPEefxw7+MHcpExshw9S1I/UnDusr8CFstW2bvCVGL8ukVn JkYQmrqW7f45v49+nqVusOeuJp4rbTaVlKmpRgMjQl5GiRJk05DcJ3ug5QfPH1oJjWKj FHFg== X-Gm-Message-State: AJIora+o+pnj/XKQarmrKP4SDkQf3tDYLOSJOH4c5Z/06mmvPglWJc2W 5Tn75FBcD3jzZOJQCXu8uM7tvQ== X-Received: by 2002:a05:6402:100c:b0:42d:f407:b050 with SMTP id c12-20020a056402100c00b0042df407b050mr4735798edu.39.1655367307984; Thu, 16 Jun 2022 01:15:07 -0700 (PDT) Received: from myrica (cpc92880-cmbg19-2-0-cust679.5-4.cable.virginm.net. [82.27.106.168]) by smtp.gmail.com with ESMTPSA id s2-20020a1709060d6200b006f3ef214e2csm471585ejh.146.2022.06.16.01.15.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Jun 2022 01:15:07 -0700 (PDT) Date: Thu, 16 Jun 2022 09:14:44 +0100 From: Jean-Philippe Brucker To: Zhangfei Gao Cc: Greg Kroah-Hartman , Arnd Bergmann , Herbert Xu , Wangzhou , Jonathan Cameron , linux-accelerators@lists.ozlabs.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, iommu@lists.linux-foundation.org, Yang Shen Subject: Re: [PATCH] uacce: fix concurrency of fops_open and uacce_remove Message-ID: References: <20220610123423.27496-1-zhangfei.gao@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, Jun 16, 2022 at 12:10:18PM +0800, Zhangfei Gao wrote: > > > diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c > > > index 281c54003edc..b6219c6bfb48 100644 > > > --- a/drivers/misc/uacce/uacce.c > > > +++ b/drivers/misc/uacce/uacce.c > > > @@ -136,9 +136,16 @@ static int uacce_fops_open(struct inode *inode, struct file *filep) > > > if (!q) > > > return -ENOMEM; > > > + mutex_lock(&uacce->queues_lock); > > > + > > > + if (!uacce->parent->driver) { > > I don't think this is useful, because the core clears parent->driver after > > having run uacce_remove(): > > > > rmmod hisi_zip open() > > ... uacce_fops_open() > > __device_release_driver() ... > > pci_device_remove() > > hisi_zip_remove() > > hisi_qm_uninit() > > uacce_remove() > > ... ... > > mutex_lock(uacce->queues_lock) > > ... if (!uacce->parent->driver) > > device_unbind_cleanup() /* driver still valid, proceed */ > > dev->driver = NULL > > The check  if (!uacce->parent->driver) is required, otherwise NULL pointer > may happen. I agree we need something, what I mean is that this check is not sufficient. > iommu_sva_bind_device > const struct iommu_ops *ops = dev_iommu_ops(dev);  -> > dev->iommu->iommu_dev->ops > > rmmod has no issue, but remove parent pci device has the issue. Ah right, relying on the return value of bind() wouldn't be enough even if we mandated SVA. [...] > > > > I think we need the global uacce_mutex to serialize uacce_remove() and > > uacce_fops_open(). uacce_remove() would do everything, including > > xa_erase(), while holding that mutex. And uacce_fops_open() would try to > > obtain the uacce object from the xarray while holding the mutex, which > > fails if the uacce object is being removed. > > Since fops_open get char device refcount, uacce_release will not happen > until open returns. The refcount only ensures that the uacce_device object is not freed as long as there are open fds. But uacce_remove() can run while there are open fds, or fds in the process of being opened. And atfer uacce_remove() runs, the uacce_device object still exists but is mostly unusable. For example once the module is freed, uacce->ops is not valid anymore. But currently uacce_fops_open() may dereference the ops in this case: uacce_fops_open() if (!uacce->parent->driver) /* Still valid, keep going */ ... rmmod uacce_remove() ... free_module() uacce->ops->get_queue() /* BUG */ Accessing uacce->ops after free_module() is a use-after-free. We need all the fops to synchronize with uacce_remove() to ensure they don't use any resource of the parent after it's been freed. I see uacce_fops_poll() may have the same problem, and should be inside uacce_mutex. Thanks, Jean