On Mon, Mar 29, 2021 at 09:48:20AM -0400, dennis.dalessandro@xxxxxxxxxxxxxxxxxxxx wrote:
> From: Mike Marciniszyn <mike.marciniszyn@xxxxxxxxxxxxxxxxxxxx>
>
> The security code guards for non-current mm in all cases for
> updating the rb tree.
>
> That is ok for insert, but NOT ok for remove, since the insert
> has already guarded the node from being inserted and the remove
> can be called with a different mm because of a segfault other similar
> "close" issues where current-mm is NULL.
>
> Best case, is we leak pages. worst case we delete items for an lru_list
> more than once:
> [20945.911107] list_del corruption, ffffa0cd536bcac8->next is LIST_POISON1 (dead000000000100)
>
> Fix by removing the guard from any functions that remove nodes
> from the tree assuming the node was entered into the tree as valid since
> the insert is guarded.
>
> Fixes: 3d2a9d642512 ("IB/hfi1: Ensure correct mm is used at all times")
> Cc: <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Mike Marciniszyn <mike.marciniszyn@xxxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Dennis Dalessandro <dennis.dalessandro@xxxxxxxxxxxxxxxxxxxx>
> drivers/infiniband/hw/hfi1/mmu_rb.c | 9 ---------
> 1 file changed, 9 deletions(-)
I'm going to drop this - resend it when the more thinking is done
But generally the security concern is establishing new access to a mm,
not so much destroying access created by another user of a FD.
Jason
