> - one thread create an id with an invalid userspace pointer > (so the copy_to_user in ucma_create_id returns -EFAULT > and calls rdma_destroy_id before idr_remove) > - another thread guess the id that is going to be returned and > call ucma_destroy_id() > > if the second thread hits the window where the cm_id is > destroyed but the ctx is still in the idr, it can trigger a double free.
I think we'd have to hold the file->mut around the entire ucma_create_id() operation to fix this. -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html