On Mon, Mar 14, 2011 at 7:27 PM, Roland Dreier <[email protected]> wrote: > Doesn't that mean unprivileged userspace could trigger a use-after-free > in the kernel? (and it might be malicious code, not buggy userspace)
>From reading the code a bit, I guess ucma is OK in this area. I do see what seems like an exploitable race in ucma_create_id(): - one thread create an id with an invalid userspace pointer (so the copy_to_user in ucma_create_id returns -EFAULT and calls rdma_destroy_id before idr_remove) - another thread guess the id that is going to be returned and call ucma_destroy_id() if the second thread hits the window where the cm_id is destroyed but the ctx is still in the idr, it can trigger a double free. But this is a completely different bug. - R. -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
