Re: [PATCH] uacce: fix concurrency of fops_open and uacce_remove

From: Jean-Philippe Brucker
Date: Mon Jun 20 2022 - 10:02:55 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.4 163/240] random: make consistent use of buf and len"
Previous message: Greg Kroah-Hartman: "[PATCH 5.4 152/240] siphash: use one source of truth for siphash permutations"
In reply to: Jean-Philippe Brucker: "Re: [PATCH] uacce: fix concurrency of fops_open and uacce_remove"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH] uacce: fix concurrency of fops_open and uacce_remove"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jun 17, 2022 at 02:05:21PM +0800, Zhangfei Gao wrote:
> > The refcount only ensures that the uacce_device object is not freed as
> > long as there are open fds. But uacce_remove() can run while there are
> > open fds, or fds in the process of being opened. And atfer uacce_remove()
> > runs, the uacce_device object still exists but is mostly unusable. For
> > example once the module is freed, uacce->ops is not valid anymore. But
> > currently uacce_fops_open() may dereference the ops in this case:
> >
> > uacce_fops_open()
> > if (!uacce->parent->driver)
> > /* Still valid, keep going */
> > ... rmmod
> > uacce_remove()
> > ... free_module()
> > uacce->ops->get_queue() /* BUG */
>
> uacce_remove should wait for uacce->queues_lock, until fops_open release the
> lock.
> If open happen just after the uacce_remove: unlock, uacce_bind_queue in open
> should fail.

Ah yes sorry, I lost sight of what this patch was adding. But we could
have the same issue with the patch, just in a different order, no?

uacce_fops_open()
uacce = xa_load()
... rmmod
uacce_remove()
mutex_lock()
mutex_unlock()
mutex_lock()
if (!uacce->parent->driver)
/* Still valid, keep going */ parent->driver = NULL
free_module()
uacce->ops->get_queue() /* BUG */

> > Accessing uacce->ops after free_module() is a use-after-free. We need all
> you men parent release the resources.
> > the fops to synchronize with uacce_remove() to ensure they don't use any
> > resource of the parent after it's been freed.
> After fops_open, currently we are counting on parent driver stop all dma
> first, then call uacce_remove, which is assumption.
> Like drivers/crypto/hisilicon/zip/zip_main.c: hisi_qm_wait_task_finish,
> which will wait uacce_release.
> If comments this , there may other issue,
> Unable to handle kernel paging request at virtual address ffff80000b700204
> pc : hisi_qm_cache_wb.part.0+0x2c/0xa0
>
> > I see uacce_fops_poll() may have the same problem, and should be inside
> > uacce_mutex.
> Do we need consider this, uacce_remove can happen anytime but not waiting
> dma stop?

No, the parent driver must stop DMA before calling uacce_remove(), there
is no way around that

>
> Not sure uacce_mutex can do this.
> Currently the sequence is
> mutex_lock(&uacce->queues_lock);
> mutex_lock(&uacce_mutex);

We should document why some ops use one lock or the other. I believe it's
to avoid circular lock dependency between ioctl and mmap, do you know if
there was another reason?

>
> Or we set all the callbacks of uacce_ops to NULL?

That would be cleaner, though we already use the queue state to indicate
whether it is usable or not. I think we just need to extend that to all
ops.

How about the following patch? Unfortunately it still has the lock
disparity between ioctl and mmap because of the circular lockking with
mmap_sem, I don't know how to make that cleaner.

--- 8< ---

Next message: Greg Kroah-Hartman: "[PATCH 5.4 163/240] random: make consistent use of buf and len"
Previous message: Greg Kroah-Hartman: "[PATCH 5.4 152/240] siphash: use one source of truth for siphash permutations"
In reply to: Jean-Philippe Brucker: "Re: [PATCH] uacce: fix concurrency of fops_open and uacce_remove"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH] uacce: fix concurrency of fops_open and uacce_remove"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]