1) find_vma() is *not* safe without ->mmap_sem and its result may
very well be freed just as it's returned to caller. IOW,
gntdev_ioctl_get_offset_for_vaddr() is racy and may end up with
dereferencing freed memory.
2) gntdev_vma_close() is putting NULL into map->vma with only
->mmap_sem held by caller. Things like
if (!map->vma)
continue;
if (map->vma->vm_start >= end)
continue;
if (map->vma->vm_end <= start)
done with just priv->lock held are racy.
I'm not familiar with the code, but it looks like we need to
protect gntdev_vma_close() guts with the same spinlock and probably
hold ->mmap_sem shared around the "find_vma()+get to map->{index,count}"
in the ioctl. Or replace the logics in ioctl with search through the
list of grant_map under the same spinlock...
Comments?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
