Bugzilla – Bug 1176630
Child process is able to access parent mm through hfi dev file handle
Last modified: 2021-01-26 15:03:45 UTC
Description of problem:
hfi1 driver enables a char device that users open through normal file system methods. When the file is opened a pointer to the current->mm is saved in the private data for the file handle.
This is then used for IOCTL and write_iter() commands from the user for pinning and unpinning of memory on behalf of the user. The saved value is remembered in an attempt to handle the case where the context (current) value that calls the close on the file, such as being killed by a signal or OOM killer, is different than the original user.
This causes a potential problem where if a child process with access to the parents file handle calls an IOCTL or write or close, the value of the mm will be that of the parent, not the child process.
Version-Release number of selected component (if applicable):
All version of RHEL which include upstream commits:
e0cf75deab81 ("IB/hfi1: Fix mm_struct use after free")
3faa3d9a308e ("IB/hfi1: Make use of mm consistent")
Steps to Reproduce:
1. Open file
3. Child proc does IOCTL
Wrong mm is used
Child mm would be used
Bug is tracked in bug 1179878
*** This bug has been marked as a duplicate of bug 1179878 ***