> + my_context = kmalloc(sizeof *my_context, GFP_KERNEL);
> + if (NULL == my_context) {
> + EDEB_ERR(4, "Out of memory device=%p", device);
> + return ERR_PTR(-ENOMEM);
> + }
> + memset(my_context, 0, sizeof(*my_context));
kzalloc() again
> + down_read(&ehca_cq_idr_sem);
> + cq = idr_find(&ehca_cq_idr, idr_handle);
> + up_read(&ehca_cq_idr_sem);
> +
> + /* make sure this mmap really belongs to the authorized user */
I never noticed this before, but what protects the CQ here? You look
it up in the idr but then drop the lock without taking a reference or
anything. Could malicious userspace destroy the CQ very quickly here
and leave you holding a stale pointer?
Similarly for the QP stuff...
> +int ehca_mmap_register(u64 physical,void ** mapped,struct vm_area_struct **
> vma)
> +{
> + int ret;
> + unsigned long vsize;
> + ehca_mmap_nopage(0,4096,mapped,vma);
> + (*vma)->vm_flags |= VM_RESERVED;
> + vsize = (*vma)->vm_end - (*vma)->vm_start;
> + if (vsize != 4096) {
What happens on systems with PAGE_SIZE == 65536? Does this still work?
- R.
_______________________________________________
openib-general mailing list
[email protected]
http://openib.org/mailman/listinfo/openib-general
To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
