Bug 1176630 - Child process is able to access parent mm through hfi dev file handle
Child process is able to access parent mm through hfi dev file handle
Status: RESOLVED DUPLICATE of bug 1179878
Classification: SUSE Linux Enterprise Desktop
Product: Public Beta SUSE Linux Enterprise Desktop 15 SP2
Classification: SUSE Linux Enterprise Desktop
Component: Kernel
Public RC2
x86-64 SLES 15
: P5 - None : Major
: ---
Assigned To: Thomas Bogendoerfer
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-09-16 15:13 UTC by Anton Bodner
Modified: 2021-01-26 15:03 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Anton Bodner 2020-09-16 15:13:54 UTC
Description of problem:
hfi1 driver enables a char device that users open through normal file system methods. When the file is opened a pointer to the current->mm is saved in the private data for the file handle.

This is then used for IOCTL and write_iter() commands from the user for pinning and unpinning of memory on behalf of the user. The saved value is remembered in an attempt to handle the case where the context (current) value that calls the close on the file, such as being killed by a signal or OOM killer, is different than the original user.

This causes a potential problem where if a child process with access to the parents file handle calls an IOCTL or write or close, the value of the mm will be that of the parent, not the child process.

Version-Release number of selected component (if applicable):
All version of RHEL which include upstream commits:
     e0cf75deab81 ("IB/hfi1: Fix mm_struct use after free")
     3faa3d9a308e ("IB/hfi1: Make use of mm consistent")

How reproducible:
Easy

Steps to Reproduce:
1. Open file
2. Fork
3. Child proc does IOCTL

Actual results:
Wrong mm is used

Expected results:
Child mm would be used
Comment 1 Thomas Bogendoerfer 2021-01-26 15:03:45 UTC
Bug is tracked in bug 1179878

*** This bug has been marked as a duplicate of bug 1179878 ***