- one thread create an id with an invalid userspace pointer
(so the copy_to_user in ucma_create_id returns -EFAULT
and calls rdma_destroy_id before idr_remove)
- another thread guess the id that is going to be returned and
call ucma_destroy_id()
if the second thread hits the
On Mon, 2011-03-14 at 21:22 -0700, Roland Dreier wrote:
On Mon, Mar 14, 2011 at 7:27 PM, Roland Dreier rol...@kernel.org wrote:
Doesn't that mean unprivileged userspace could trigger a use-after-free
in the kernel? (and it might be malicious code, not buggy userspace)
From reading the
On Wed, Feb 23, 2011 at 8:11 AM, Hefty, Sean sean.he...@intel.com wrote:
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -1210,6 +1210,11 @@ static int cma_req_handler(struct ib_cm_id *cm_id,
struct ib_cm_event *ib_event)
cm_id-context = conn_id;
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -1210,6 +1210,11 @@ static int cma_req_handler(struct ib_cm_id *cm_id,
struct ib_cm_event *ib_event)
cm_id-context = conn_id;
cm_id-cm_handler = cma_ib_handler;
+ /*
+ * Protect
On Mon, Mar 14, 2011 at 5:12 PM, Hefty, Sean sean.he...@intel.com wrote:
likewise this seems to drop the additional reference, and then use
the conn_id. Why can't it be destroyed right after the cma_deref_id
leading to use-after-free?
That is a double free error by the user. If they return
On Mon, Mar 14, 2011 at 7:27 PM, Roland Dreier rol...@kernel.org wrote:
Doesn't that mean unprivileged userspace could trigger a use-after-free
in the kernel? (and it might be malicious code, not buggy userspace)
From reading the code a bit, I guess ucma is OK in this area. I do see
what
Doug Ledford and RedHat reported a crash when running the rdma_cm on a real
time OS. The crash has the following call trace:
cm_process_work
cma_req_handler
cma_disable_callback
rdma_create_id
kzalloc
init_completion
On Wed, 2011-02-23 at 08:11 -0800, Hefty, Sean wrote:
Doug Ledford and RedHat reported a crash when running the rdma_cm on a real
time OS. The crash has the following call trace:
cm_process_work
cma_req_handler
cma_disable_callback
rdma_create_id