On Sat, May 07, 2016 at 08:19:46PM +0200, Yann Droneaud wrote: > I thought access_ok() done as part of copy_to_user() would protect from > such unwelcomed behavior. But it's not if the kernel invoke write() > handler outside of a user process. It does. Core dumps are an obious example, although I fail to see how an unprivilegued user could set the core dump pattern to involve an IB uverbs device. The other hint in the patch is that it checks for the credentials, which suggests suid/sgid binaries are part of the issue. But the combination of the write abuse and allowing users to use the device nodes is bound to be lethal sooner or later, so I'm not surprised about issues popping up. -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html