On Mon, Mar 29, 2021 at 09:48:20AM -0400, dennis.dalessandro@cornelisnetworks.com wrote:
From: Mike Marciniszyn mike.marciniszyn@cornelisnetworks.com
The security code guards for non-current mm in all cases for updating the rb tree.
That is ok for insert, but NOT ok for remove, since the insert has already guarded the node from being inserted and the remove can be called with a different mm because of a segfault other similar "close" issues where current-mm is NULL.
Best case, is we leak pages. worst case we delete items for an lru_list more than once: [20945.911107] list_del corruption, ffffa0cd536bcac8->next is LIST_POISON1 (dead000000000100)
Fix by removing the guard from any functions that remove nodes from the tree assuming the node was entered into the tree as valid since the insert is guarded.
Fixes: 3d2a9d642512 ("IB/hfi1: Ensure correct mm is used at all times") Cc: stable@vger.kernel.org Signed-off-by: Mike Marciniszyn mike.marciniszyn@cornelisnetworks.com Signed-off-by: Dennis Dalessandro dennis.dalessandro@cornelisnetworks.com drivers/infiniband/hw/hfi1/mmu_rb.c | 9 --------- 1 file changed, 9 deletions(-)
I'm going to drop this - resend it when the more thinking is done
But generally the security concern is establishing new access to a mm, not so much destroying access created by another user of a FD.
Jason