[openib-general] [PATCH 04/17] ehca: userspace support

Roland Dreier rdreier at cisco.com
Thu Mar 2 11:59:40 PST 2006


 > +	my_context = kmalloc(sizeof *my_context, GFP_KERNEL);
 > +	if (NULL == my_context) {
 > +		EDEB_ERR(4, "Out of memory device=%p", device);
 > +		return ERR_PTR(-ENOMEM);
 > +	}
 > +	memset(my_context, 0, sizeof(*my_context));

kzalloc() again

 > +		down_read(&ehca_cq_idr_sem);
 > +		cq = idr_find(&ehca_cq_idr, idr_handle);
 > +		up_read(&ehca_cq_idr_sem);
 > +
 > +		/* make sure this mmap really belongs to the authorized user */

I never noticed this before, but what protects the CQ here?  You look
it up in the idr but then drop the lock without taking a reference or
anything.  Could malicious userspace destroy the CQ very quickly here
and leave you holding a stale pointer?

Similarly for the QP stuff...

 > +int ehca_mmap_register(u64 physical,void ** mapped,struct vm_area_struct ** vma)
 > +{
 > +	int ret;
 > +	unsigned long vsize;
 > +	ehca_mmap_nopage(0,4096,mapped,vma);
 > +	(*vma)->vm_flags |= VM_RESERVED;
 > +	vsize = (*vma)->vm_end - (*vma)->vm_start;
 > +	if (vsize != 4096) {

What happens on systems with PAGE_SIZE == 65536?  Does this still work?

 - R.



More information about the general mailing list