On 11/12/2020 5:06 PM, Dennis Dalessandro wrote:
On 11/12/2020 12:14 PM, Ira Weiny wrote:
On Wed, Nov 11, 2020 at 09:58:37PM -0500, Dennis Dalessandro wrote:
Two earlier bug fixes have created a security problem in the hfi1
driver. One fix aimed to solve an issue where current->mm was not valid
when closing the hfi1 cdev. It attempted to do this by saving a cached
value of the current->mm pointer at file open time. This is a problem if
another process with access to the FD calls in via write() or ioctl() to
pin pages via the hfi driver. The other fix tried to solve a use after
free by taking a reference on the mm. This was just wrong because its
possible for a race condition between one process with an mm that opened
the cdev if it was accessing via an IOCTL, and another process
attempting to close the cdev with a different current->mm.
Again I'm still not seeing the race here. It is entirely possible
that the fix
I was trying to do way back was mistaken too... ;-) I would just
delete the
last 2 sentences... and/or reference the commit of those fixes and help
explain this more.
I was attempting to refer to [1], the email that started all of this.
That link should be:
[1] https://marc.info/?l=linux-rdma&m=159891753806720&w=2
-Denny
