| Summary: |
Child process is able to access parent mm through hfi dev file handle |
| Product: |
[SUSE Linux Enterprise Desktop] Public Beta SUSE Linux Enterprise Desktop 15 SP2
|
Reporter: |
Anton Bodner <anton.bodner> |
| Component: |
Kernel | Assignee: |
Thomas Bogendoerfer <tbogendoerfer> |
| Status: |
RESOLVED
DUPLICATE
|
QA Contact: |
E-mail List <qa-bugs> |
| Severity: |
Major
|
|
|
| Priority: |
P5 - None
|
CC: |
mike.marciniszyn, pragyansri.pathi, steve.vogel, tbogendoerfer, tiwai
|
| Version: |
Public RC2 | |
|
| Target Milestone: |
--- | |
|
| Hardware: |
x86-64 | |
|
| OS: |
SLES 15 | |
|
| Whiteboard: |
|
|
Found By:
|
---
|
Services Priority:
|
|
|---|
|
Business Priority:
|
|
Blocker:
|
---
|
|---|
|
Marketing QA Status:
|
---
|
IT Deployment:
|
---
|
|---|
Description of problem: hfi1 driver enables a char device that users open through normal file system methods. When the file is opened a pointer to the current->mm is saved in the private data for the file handle. This is then used for IOCTL and write_iter() commands from the user for pinning and unpinning of memory on behalf of the user. The saved value is remembered in an attempt to handle the case where the context (current) value that calls the close on the file, such as being killed by a signal or OOM killer, is different than the original user. This causes a potential problem where if a child process with access to the parents file handle calls an IOCTL or write or close, the value of the mm will be that of the parent, not the child process. Version-Release number of selected component (if applicable): All version of RHEL which include upstream commits: e0cf75deab81 ("IB/hfi1: Fix mm_struct use after free") 3faa3d9a308e ("IB/hfi1: Make use of mm consistent") How reproducible: Easy Steps to Reproduce: 1. Open file 2. Fork 3. Child proc does IOCTL Actual results: Wrong mm is used Expected results: Child mm would be used