[openib-general] [PATCH] Fix freed mem deref race in cma_process_remove/cma_req_handler
Michael S. Tsirkin
mst at mellanox.co.il
Tue Sep 19 00:21:29 PDT 2006
Quoting r. Krishna Kumar <krkumar2 at in.ibm.com>:
> Subject: [PATCH] Fix freed mem deref race in cma_process_remove/cma_req_handler
>
> The race is as follows :
>
> A process : cma_process_remove() calls cma_remove_id_dev(),
> which sets id state to CMA_DEVICE_REMOVAL and
> calls wait_event(dev_remove).
>
> B process : cma_req_handler() had incremented dev_remove,
> and calls cma_acquire_ib_dev() and on failure
> calls cma_release_remove(), which does a
> wake_up of cma_process_remove(). Then
> cma_req_handler() calls rdma_destroy_id();
>
> A Process : cma_remove_id_dev() gets woken and checks the
> state of id, and since it is still (wrongly)
> CMA_DEVICE_REMOVAL, it calls notify_user(id)
> and if that fails, the caller - cma_process_remove()
> calls rdma_destroy_id(id). Two processes can
> call rdma_destroy_id(), resulting in one
> de-referencing kfreed id_priv.
>
> Fix is for process B to set CMA_DESTROYING in cma_req_handler()
> so that process A will return instead of doing a rdma_destroy_id().
>
> Signed-off-by: Krishna Kumar <krkumar2 at in.ibm.com>
Did you actually see these crashes?
If yes, this looks serious enough even for 2.6.18. Sean?
--
MST
More information about the general
mailing list