Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp8154873rwr;
        Wed, 10 May 2023 19:18:47 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ4C5i9XBX//03CrHYnmVcP64/QW53ZdTl6l6WVWUh5UCagHG3eNlN90wrFvivn+kbhiKYwJ
X-Received: by 2002:a17:902:e852:b0:1a6:c595:d7c3 with SMTP id t18-20020a170902e85200b001a6c595d7c3mr23454632plg.22.1683771526890;
        Wed, 10 May 2023 19:18:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1683771526; cv=none;
        d=google.com; s=arc-20160816;
        b=hSjB9Yd57xxBfMw8Y3hFgutPwfcK4+fikSueHosJjz+mubfO3mQzVdKXeMBaqFA3qK
         PCBTK5UjLwvCRDcWYAiuyG5AW7aprG0drhOk2bZoYr4aWIBuLLwzSBJR4cQxyXouiTW6
         dVhsnXhAbgpFF37sLZPJTSI4/q3lQ7oWxE02+u9IKR9Pxv4nJ6+SVOwiTBRVAC38fj8X
         iQUGG0J0HNvGXZ0NNTI/9QswOq1ZsChgQ0hIW0WtUnA8TRq4Ilr/cfYScdFxJMvjBXj8
         GDzH3YntmxYOihpWGG1H8d7YIEtTJdRC+VSLYuXoOCsN3BvOT11vmxEIcpnQmLmdvKLt
         VP9g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=c7NhY70nKePpFKW1tNMvcsBAqsK2Oz2JiYYqlXCn6ek=;
        b=RXYq8/07ao6n3fqnIfbWGHjl3CdMGPi+Hrp60oxr8BEhbrhWZge8dNwOXgqF1P59BH
         H9psqGOXhTeFu8qCwRN9M8sSj/ZZouGBE9u+JL5XXYSIB6FuupOmIvOlHgEk4aaqTcYa
         9jgvVqljCbVyjyIFPC7bd7KdQcWzErkuWoubwCPD34wxZX6/wyFigEa7wgRN1NjZHvMn
         b0+L8ZUh209mEyWo38LKfkeHy3GWX39bDUK9/3Qnw7hzbxkoPX0Cg4rmBaB7Kd/wmQG+
         etWPM4pibPvFgqtzRn7BYW034oo1TDVu2utjXgTaFk2ucfCaZBUA7YdhVu8eAQ5zKFG/
         SoyQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=VzlDVesw;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id q17-20020a170902789100b001aaea4707c1si5249786pll.99.2023.05.10.19.18.28;
        Wed, 10 May 2023 19:18:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=VzlDVesw;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230041AbjEKCQY (ORCPT <rfc822;letrhee@gmail.com> + 99 others);
        Wed, 10 May 2023 22:16:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47664 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229555AbjEKCQX (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Wed, 10 May 2023 22:16:23 -0400
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 455CB273E
        for <linux-crypto@vger.kernel.org>; Wed, 10 May 2023 19:16:22 -0700 (PDT)
Received: by mail-wr1-x435.google.com with SMTP id ffacd0b85a97d-304935cc79bso7505686f8f.2
        for <linux-crypto@vger.kernel.org>; Wed, 10 May 2023 19:16:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1683771381; x=1686363381;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=c7NhY70nKePpFKW1tNMvcsBAqsK2Oz2JiYYqlXCn6ek=;
        b=VzlDVeswYJTkHS18WfZGHZ94kK1HMGNiS+QWCFjD+YQvom1A9OAwXhkdBvdBe22xb1
         wo2+YNPN2MLaLnGPFkdicBRqtv0CqWMFPg8QmcSKYNV9CwYtC9HjcrmNGJ/D2dsCz3lb
         Z5PlRQDTuLjC9YYVM1X5I8xGDP/4vF1xu/GrZJojtbOuyCP+QJF9DWyY0/3Y99Q8a5ua
         eByKEUXFxYnoBU9GBECtwMdo6BJkmns+hZ8YD2GZV8eQReJfbHcXZ0zBy6866p8r3miX
         9dO9UeQ30UHWgOkJMCSmPXFkmsjsPkCrdbwew7yxIcitgBsJRx24CfkS0WtbbIPC8y/0
         lm4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1683771381; x=1686363381;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=c7NhY70nKePpFKW1tNMvcsBAqsK2Oz2JiYYqlXCn6ek=;
        b=gktIjNYbTeMTIAsLYg92h5gNceHTdm7fiAX+qFhyp20V8y7PV2u3zYeFl91xnKSz4q
         F3AhxOO13VvcyDQ5eR1oIQ0KCiBcmIarIFi7ClAR+nhstKjZV3OReuiYr9bhST4gM4oJ
         EIJb5SWQnMJSzKzwi7l4Tnh1xt3lQDRS1fmbFsxeXAYBK3RTRfds/0OtQc/2AIDz6CF0
         O5acr+JmNF8qdAzk7VQtTetZovu0BJQMNYAMwWEdQB/sY3XbY3q4hHvSP25cGE7lbbSg
         fT8dHPjI3qvPaJN88HHZI8A5pjsrZRmBeOPqyzoSjpf71yiKyqz9c0TO/tz1+CjGnUd7
         DKdw==
X-Gm-Message-State: AC+VfDwMlf1b3qSmLWKQWEq7sj2djIn1Nl73SQ1g38p4Y982l7+cXB3k
        4PZXHZuQVUYWZIAKuWWa5WWl7Q==
X-Received: by 2002:a5d:45c7:0:b0:306:3bac:e235 with SMTP id b7-20020a5d45c7000000b003063bace235mr11720300wrs.10.1683771380676;
        Wed, 10 May 2023 19:16:20 -0700 (PDT)
Received: from localhost.localdomain ([64.64.123.10])
        by smtp.gmail.com with ESMTPSA id j18-20020a5d4492000000b003021288a56dsm18945908wrq.115.2023.05.10.19.16.14
        (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
        Wed, 10 May 2023 19:16:20 -0700 (PDT)
From:   Zhangfei Gao <zhangfei.gao@linaro.org>
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Arnd Bergmann <arnd@arndb.de>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        jean-philippe <jean-philippe@linaro.org>,
        Wangzhou <wangzhou1@hisilicon.com>,
        Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc:     linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
        iommu@lists.linux.dev, acc@lists.linaro.org,
        Zhangfei Gao <zhangfei.gao@linaro.org>,
        Weili Qian <qianweili@huawei.com>
Subject: [PATCH] uacce: use filep->f_mapping to replace inode->i_mapping
Date:   Thu, 11 May 2023 10:15:53 +0800
Message-Id: <20230511021553.44318-1-zhangfei.gao@linaro.org>
X-Mailer: git-send-email 2.39.2 (Apple Git-143)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

The inode can be different in a container, for example, a docker and host
both open the same uacce parent device, which uses the same uacce struct
but different inode, so uacce->inode is not enough.

What's worse, when docker stops, the inode will be destroyed as well,
causing use-after-free in uacce_remove.

So use q->filep->f_mapping to replace uacce->inode->i_mapping.

Signed-off-by: Weili Qian <qianweili@huawei.com>
Signed-off-by: Zhangfei Gao <zhangfei.gao@linaro.org>
---
 drivers/misc/uacce/uacce.c | 16 +++++++++-------
 include/linux/uacce.h      |  4 ++--
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c
index 346bd7cf2e94..740ace422baa 100644
--- a/drivers/misc/uacce/uacce.c
+++ b/drivers/misc/uacce/uacce.c
@@ -166,8 +166,8 @@ static int uacce_fops_open(struct inode *inode, struct file *filep)
 
 	init_waitqueue_head(&q->wait);
 	filep->private_data = q;
-	uacce->inode = inode;
 	q->state = UACCE_Q_INIT;
+	q->private_data = filep;
 	mutex_init(&q->mutex);
 	list_add(&q->list, &uacce->queues);
 	mutex_unlock(&uacce->mutex);
@@ -574,12 +574,6 @@ void uacce_remove(struct uacce_device *uacce)
 
 	if (!uacce)
 		return;
-	/*
-	 * unmap remaining mapping from user space, preventing user still
-	 * access the mmaped area while parent device is already removed
-	 */
-	if (uacce->inode)
-		unmap_mapping_range(uacce->inode->i_mapping, 0, 0, 1);
 
 	/*
 	 * uacce_fops_open() may be running concurrently, even after we remove
@@ -589,6 +583,8 @@ void uacce_remove(struct uacce_device *uacce)
 	mutex_lock(&uacce->mutex);
 	/* ensure no open queue remains */
 	list_for_each_entry_safe(q, next_q, &uacce->queues, list) {
+		struct file *filep = q->private_data;
+
 		/*
 		 * Taking q->mutex ensures that fops do not use the defunct
 		 * uacce->ops after the queue is disabled.
@@ -597,6 +593,12 @@ void uacce_remove(struct uacce_device *uacce)
 		uacce_put_queue(q);
 		mutex_unlock(&q->mutex);
 		uacce_unbind_queue(q);
+
+		/*
+		 * unmap remaining mapping from user space, preventing user still
+		 * access the mmaped area while parent device is already removed
+		 */
+		unmap_mapping_range(filep->f_mapping, 0, 0, 1);
 	}
 
 	/* disable sva now since no opened queues */
diff --git a/include/linux/uacce.h b/include/linux/uacce.h
index 0a81c3dfd26c..64b800b74436 100644
--- a/include/linux/uacce.h
+++ b/include/linux/uacce.h
@@ -86,6 +86,7 @@ enum uacce_q_state {
  * @state: queue state machine
  * @pasid: pasid associated to the mm
  * @handle: iommu_sva handle returned by iommu_sva_bind_device()
+ * @private_data: private data for saving filep
  */
 struct uacce_queue {
 	struct uacce_device *uacce;
@@ -97,6 +98,7 @@ struct uacce_queue {
 	enum uacce_q_state state;
 	u32 pasid;
 	struct iommu_sva *handle;
+	void *private_data;
 };
 
 /**
@@ -114,7 +116,6 @@ struct uacce_queue {
  * @mutex: protects uacce operation
  * @priv: private pointer of the uacce
  * @queues: list of queues
- * @inode: core vfs
  */
 struct uacce_device {
 	const char *algs;
@@ -130,7 +131,6 @@ struct uacce_device {
 	struct mutex mutex;
 	void *priv;
 	struct list_head queues;
-	struct inode *inode;
 };
 
 #if IS_ENABLED(CONFIG_UACCE)
-- 
2.39.2 (Apple Git-143)