Re: [RFC PATCH 10/10] vfio/type1: Register device notifier

From: Peter Xu
Date: Thu Feb 25 2021 - 14:58:21 EST

• Next message: Masahiro Yamada: "Re: [PATCH] kbuild: lto: add _mcount to list of used symbols"
• Previous message: Guenter Roeck: "Re: [PATCH v3] usb: typec: tcpm: Wait for vbus discharge to VSAFE0V before toggling"
• In reply to: Jason Gunthorpe: "Re: [RFC PATCH 10/10] vfio/type1: Register device notifier"
• Next in thread: Christoph Hellwig: "Re: [RFC PATCH 10/10] vfio/type1: Register device notifier"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

On Thu, Feb 25, 2021 at 03:17:14PM -0400, Jason Gunthorpe wrote:
> It is a use-after-free. Once the PFN is programmed into the IOMMU it
> becomes completely divorced from the VMA. Remember there is no
> pin_user_page here, so the PFN has no reference count.
>
> If the owner of the VMA decided to zap it or otherwise then the IOMMU
> access keeps going - but now the owner thinks the PFN is free'd and
> nobody is referencing it. Goes bad.

Sounds reasonable. Thanks,

--
Peter Xu

---

• Next message: Masahiro Yamada: "Re: [PATCH] kbuild: lto: add _mcount to list of used symbols"
• Previous message: Guenter Roeck: "Re: [PATCH v3] usb: typec: tcpm: Wait for vbus discharge to VSAFE0V before toggling"
• In reply to: Jason Gunthorpe: "Re: [RFC PATCH 10/10] vfio/type1: Register device notifier"
• Next in thread: Christoph Hellwig: "Re: [RFC PATCH 10/10] vfio/type1: Register device notifier"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]