Re: [RFC PATCH 10/10] vfio/type1: Register device notifier

From: Peter Xu
Date: Thu Feb 25 2021 - 14:58:21 EST

Next message: Masahiro Yamada: "Re: [PATCH] kbuild: lto: add _mcount to list of used symbols"
Previous message: Guenter Roeck: "Re: [PATCH v3] usb: typec: tcpm: Wait for vbus discharge to VSAFE0V before toggling"
In reply to: Jason Gunthorpe: "Re: [RFC PATCH 10/10] vfio/type1: Register device notifier"
Next in thread: Christoph Hellwig: "Re: [RFC PATCH 10/10] vfio/type1: Register device notifier"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Feb 25, 2021 at 03:17:14PM -0400, Jason Gunthorpe wrote:
> It is a use-after-free. Once the PFN is programmed into the IOMMU it
> becomes completely divorced from the VMA. Remember there is no
> pin_user_page here, so the PFN has no reference count.
>
> If the owner of the VMA decided to zap it or otherwise then the IOMMU
> access keeps going - but now the owner thinks the PFN is free'd and
> nobody is referencing it. Goes bad.

Sounds reasonable. Thanks,

--
Peter Xu

Next message: Masahiro Yamada: "Re: [PATCH] kbuild: lto: add _mcount to list of used symbols"
Previous message: Guenter Roeck: "Re: [PATCH v3] usb: typec: tcpm: Wait for vbus discharge to VSAFE0V before toggling"
In reply to: Jason Gunthorpe: "Re: [RFC PATCH 10/10] vfio/type1: Register device notifier"
Next in thread: Christoph Hellwig: "Re: [RFC PATCH 10/10] vfio/type1: Register device notifier"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]