[ofa-general] [PATCH] fix horrible hole in uverbs

[Roland Dreier]

Not sure how we missed this for so long... unless I'm very confused it
was possible for different contexts to stomp on each other since June
of last year!

commit cc81b99d8ef91e3692eb920f6a300453e2988114
Author: Roland Dreier <rolandd at cisco.com>
Date:   Fri Oct 19 19:39:23 2007 -0700

    IB/uverbs: Fix checking of userspace object ownership
    
    Commit 9ead190b ("IB/uverbs: Don't serialize with ib_uverbs_idr_mutex")
    rewrote how userspace objects are looked up in the uverbs module's
    idrs, and introduced a severe bug in the process: there is no checking
    that an operation is being performed by the right process any more.
    Fix this by adding the missing check of uobj->context in __idr_get_uobj().
    
    Apparently everyone is being very careful to only touch their own
    objects, because this bug was introduced in June 2006 in 2.6.18, and
    has gone undetected until now.
    
    Signed-off-by: Roland Dreier <rolandd at cisco.com>

diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 01d7008..495c803 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -147,8 +147,12 @@ static struct ib_uobject *__idr_get_uobj(struct idr *idr, int id,
 
 	spin_lock(&ib_uverbs_idr_lock);
 	uobj = idr_find(idr, id);
-	if (uobj)
-		kref_get(&uobj->ref);
+	if (uobj) {
+		if (uobj->context == context)
+			kref_get(&uobj->ref);
+		else
+			uobj = NULL;
+	}
 	spin_unlock(&ib_uverbs_idr_lock);
 
 	return uobj;