On Mon, Mar 14, 2011 at 5:12 PM, Hefty, Sean <[email protected]> wrote: >> likewise this seems to drop the additional reference, and then use >> the conn_id. Why can't it be destroyed right after the cma_deref_id >> leading to use-after-free? > > That is a double free error by the user. If they return a non-zero value > from the callback, that indicates that the rdma_cm should destroy the id. > The user cannot use the id at that point.
Doesn't that mean unprivileged userspace could trigger a use-after-free in the kernel? (and it might be malicious code, not buggy userspace) - R. -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
