| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Apr 2020 19:52:13 -0700
From: santosh.shilimkar@...cle.com
To: zerons <sironhide0null@...il.com>,
Ka-Cheong Poon <ka-cheong.poon@...cle.com>,
netdev@...r.kernel.org
Cc: davem@...emloft.net, rds-devel@....oracle.com
Subject: Re: [PATCH net 2/2] net/rds: Fix MR reference counting problem
On 4/7/20 7:25 PM, zerons wrote:
> On 4/8/20 03:30, santosh.shilimkar@...cle.com wrote:
>> On 4/7/20 9:08 AM, Ka-Cheong Poon wrote:
>>> In rds_free_mr(), it calls rds_destroy_mr(mr) directly. But this
>>> defeats the purpose of reference counting and makes MR free handling
>>> impossible. It means that holding a reference does not guarantee that
>>> it is safe to access some fields. For example, In
>>> rds_cmsg_rdma_dest(), it increases the ref count, unlocks and then
>>> calls mr->r_trans->sync_mr(). But if rds_free_mr() (and
>>> rds_destroy_mr()) is called in between (there is no lock preventing
>>> this to happen), r_trans_private is set to NULL, causing a panic.
>>> Similar issue is in rds_rdma_unuse().
>>>
>>> Reported-by: zerons <sironhide0null@...il.com>
>>> Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@...cle.com>
>>> ---
>> Thanks for getting this out on the list.
>>
>> Hi zerons,
>> Can you please review it and see it addresses your concern ?
>>
>
> Yes, the MR gets freed only when the ref count decreases to zero does
> address my concern. I think it make the logic cleaner as well. Fantastic!
>
Thanks for confirmation.
FWIW,
Acked-by: Santosh Shilimkar <santosh.shilimkar@...cle.com>
Powered by blists - more mailing lists