| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 Apr 2020 10:25:11 +0800
From: zerons <sironhide0null@...il.com>
To: santosh.shilimkar@...cle.com,
Ka-Cheong Poon <ka-cheong.poon@...cle.com>,
netdev@...r.kernel.org
Cc: davem@...emloft.net, rds-devel@....oracle.com
Subject: Re: [PATCH net 2/2] net/rds: Fix MR reference counting problem
On 4/8/20 03:30, santosh.shilimkar@...cle.com wrote:
> On 4/7/20 9:08 AM, Ka-Cheong Poon wrote:
>> In rds_free_mr(), it calls rds_destroy_mr(mr) directly. But this
>> defeats the purpose of reference counting and makes MR free handling
>> impossible. It means that holding a reference does not guarantee that
>> it is safe to access some fields. For example, In
>> rds_cmsg_rdma_dest(), it increases the ref count, unlocks and then
>> calls mr->r_trans->sync_mr(). But if rds_free_mr() (and
>> rds_destroy_mr()) is called in between (there is no lock preventing
>> this to happen), r_trans_private is set to NULL, causing a panic.
>> Similar issue is in rds_rdma_unuse().
>>
>> Reported-by: zerons <sironhide0null@...il.com>
>> Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@...cle.com>
>> ---
> Thanks for getting this out on the list.
>
> Hi zerons,
> Can you please review it and see it addresses your concern ?
>
Yes, the MR gets freed only when the ref count decreases to zero does
address my concern. I think it make the logic cleaner as well. Fantastic!
Regards,
zerons
Powered by blists - more mailing lists