[patch 07/40] IB/uverbs: Fix checking of userspace object ownership

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: <linux-kernel@...>, <stable@...>

Cc: Justin Forbes <jmforbes@...>, Zwane Mwaikambo <zwane@...>, Theodore Ts'o <tytso@...>, Randy Dunlap <rdunlap@...>, Dave Jones <davej@...>, Chuck Wolber <chuckw@...>, Chris Wedgwood <reviews@...>, Michael Krufky <mkrufky@...>, Chuck Ebbert <cebbert@...>, Domenico Andreoli <cavokz@...>, <torvalds@...>, <akpm@...>, <alan@...>, Roland Dreier <rolandd@...>

Subject: [patch 07/40] IB/uverbs: Fix checking of userspace object ownership

Date: Thursday, November 15, 2007 - 2:44 am

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Roland Dreier <rolandd@cisco.com>

Upstream as cbfb50e6e2e9c580848c0f51d37c24cdfb1cb704

Commit 9ead190b ("IB/uverbs: Don't serialize with ib_uverbs_idr_mutex")
rewrote how userspace objects are looked up in the uverbs module's
idrs, and introduced a severe bug in the process: there is no checking
that an operation is being performed by the right process any more.
Fix this by adding the missing check of uobj->context in __idr_get_uobj().

Apparently everyone is being very careful to only touch their own
objects, because this bug was introduced in June 2006 in 2.6.18, and
has gone undetected until now.

Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/infiniband/core/uverbs_cmd.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -147,8 +147,12 @@ static struct ib_uobject *__idr_get_uobj
 
 	spin_lock(&ib_uverbs_idr_lock);
 	uobj = idr_find(idr, id);
-	if (uobj)
-		kref_get(&uobj->ref);
+	if (uobj) {
+		if (uobj->context == context)
+			kref_get(&uobj->ref);
+		else
+			uobj = NULL;
+	}
 	spin_unlock(&ib_uverbs_idr_lock);
 
 	return uobj;

-- 
-
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[patch 00/40] 2.6.23-stable review, driver (sans network) ch..., Greg Kroah-Hartman, (Thu Nov 15, 2:43 am)

[patch 40/40] ACPI: suspend: Wrong order of GPE restore., Greg Kroah-Hartman, (Thu Nov 15, 2:46 am)

[patch 39/40] ACPI: sleep: Fix GPE suspend cleanup, Greg Kroah-Hartman, (Thu Nov 15, 2:46 am)

[patch 38/40] libata: backport ATA_FLAG_NO_SRST and ATA_FLAG..., Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 37/40] libata: backport ATA_FLAG_NO_SRST and ATA_FLAG..., Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 35/40] radeon: set the address to access the GART tab..., Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 36/40] libata: add HTS542525K9SA00 to NCQ blacklist, Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 33/40] Char: rocket, fix dynamic_dev tty, Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 34/40] Char: moxa, fix and optimise empty timer, Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 31/40] ide: Fix cs5535 driver accessing beyond array ..., Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 30/40] ide: Fix siimage driver accessing beyond array..., Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 32/40] hptiop: avoid buffer overflow when returning s..., Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 29/40] ide: Add ide_get_paired_drive() helper, Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 27/40] i4l: fix random freezes with AVM B1 drivers, Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 28/40] ide: fix serverworks.c UDMA regression, Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 25/40] ALSA: hda-codec - Add array terminator for dmi..., Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 26/40] i4l: Fix random hard freeze with AVM c4 card, Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 24/40] USB: usbserial - fix potential deadlock betwee..., Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 20/40] USB: remove USB_QUIRK_NO_AUTOSUSPEND, Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

Re: [patch 20/40] USB: remove USB_QUIRK_NO_AUTOSUSPEND, Chuck Ebbert, (Thu Nov 15, 11:50 am)

Re: [patch 20/40] USB: remove USB_QUIRK_NO_AUTOSUSPEND, Alan Stern, (Thu Nov 15, 1:57 pm)

[patch 22/40] USB: mutual exclusion for EHCI init and port r..., Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 23/40] USB: add URB_FREE_BUFFER to permissible flags, Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 21/40] usb-gadget-ether: prevent oops caused by error..., Greg Kroah-Hartman, (Thu Nov 15, 2:45 am)

[patch 19/40] MSI: Use correct data offset for 32-bit MSI in..., Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 18/40] md: raid5: fix clearing of biofill operations, Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 17/40] md: fix an unsigned compare to allow creation ..., Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 16/40] dm: fix thaw_bdev, Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 15/40] dm delay: fix status, Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 14/40] libata: sync NCQ blacklist with upstream, Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 13/40] ALSA: hdsp - Fix zero division, Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 12/40] ALSA: emu10k1 - Fix memory corruption, Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 11/40] ALSA: Fix build error without CONFIG_HAS_DMA, Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 10/40] ALSA: fix selector unit bug affecting some USB..., Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 09/40] ALSA: hda-codec - Avoid zero NID in line_out_p..., Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 08/40] IB/mthca: Use mmiowb() to avoid firmware comma..., Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 07/40] IB/uverbs: Fix checking of userspace object ow..., Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 06/40] hwmon/lm87: Disable VID when it should be, Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 05/40] hwmon/lm87: Fix a division by zero, Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 03/40] hwmon/w83627hf: Fix setting fan min right afte..., Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 04/40] hwmon/w83627hf: Dont assume bank 0, Greg Kroah-Hartman, (Thu Nov 15, 2:44 am)

[patch 02/40] i915: fix vbl swap allocation size., Greg Kroah-Hartman, (Thu Nov 15, 2:43 am)

[patch 01/40] POWERPC: Fix platinumfb framebuffer, Greg Kroah-Hartman, (Thu Nov 15, 2:43 am)


linux-kernel:
david	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Greg Kroah-Hartman	[PATCH 005/196] Chinese: add translation of SubmittingDrivers
Vladislav Bolkhovitin	Re: Integration of SCST in the mainstream Linux kernel
Jan Engelhardt	intel iommu (Re: -mm merge plans for 2.6.23)
git:

openbsd-misc:

linux-netdev:
David Miller	[GIT]: Networking
David Miller	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Natalie Protasevich	[BUG] New Kernel Bugs

[patch 07/40] IB/uverbs: Fix checking of userspace object ownership

Online users