All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jason Gunthorpe <jgg@ziepe.ca>
To: David Hildenbrand <david@redhat.com>
Cc: Peter Xu <peterx@redhat.com>,
	Pantelis Antoniou <p.antoniou@partner.samsung.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	mm-commits@vger.kernel.org, wade.farnsworth@siemens.com,
	jhubbard@nvidia.com, c.briere@samsung.com, artem.k@samsung.com,
	David Howells <dhowells@redhat.com>
Subject: Re: + fix-zero-copy-i-o-on-__get_user_pages-allocated-pages.patch added to mm-hotfixes-unstable branch
Date: Thu, 8 May 2025 16:19:20 -0300	[thread overview]
Message-ID: <20250508191920.GC138689@ziepe.ca> (raw)
In-Reply-To: <5d791609-411b-4e4b-b502-ffee80e8b46b@redhat.com>

On Thu, May 08, 2025 at 09:14:38PM +0200, David Hildenbrand wrote:
> On 08.05.25 21:08, Peter Xu wrote:
> > On Thu, May 08, 2025 at 09:04:11PM +0200, David Hildenbrand wrote:
> > > It's doing the same wrong thing at a different place.
> > 
> > As I mentioned, I believe KVM has this wrong thing working so far..  and it
> > doesn't block us from going right ultimately.  It's a matter of time.
> 
> Yes, KVM has it wrong and vfio probably as well. And they are usually not
> dealing with actual kernel allocations, but rather with MMIO ranges.

vfio also doesn't take references on the things it pulls out of the
VMA. The vfio bug is different, it lets you take a pte special
phys_addr_t and reference it through the IOMMU without any
refcounting. So when the VMA is destroyed and the page free'd by the
GPU driver we just UAF it from VFIO through the iommu page
table. Woops.

What we are talking about here is very different from both kvm and
vfio, this is ignoring pte special and accessing the struct page
refcount anyhow. I certainly don't know of anything that is doing
that, though I didn't know about the old netfs stuff :\

Jason

  reply	other threads:[~2025-05-08 19:19 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-07 21:55 + fix-zero-copy-i-o-on-__get_user_pages-allocated-pages.patch added to mm-hotfixes-unstable branch Andrew Morton
2025-05-08 14:16 ` Peter Xu
2025-05-08 14:36   ` Pantelis Antoniou
2025-05-08 15:08     ` Peter Xu
2025-05-08 15:10       ` David Hildenbrand
2025-05-08 15:27         ` Pantelis Antoniou
2025-05-08 15:40           ` David Hildenbrand
2025-05-08 15:48             ` Pantelis Antoniou
2025-05-08 16:25             ` Pantelis Antoniou
2025-05-08 17:35             ` Jason Gunthorpe
2025-05-08 17:47               ` Pantelis Antoniou
2025-05-08 18:01                 ` Jason Gunthorpe
2025-05-08 18:02                 ` David Hildenbrand
2025-05-08 18:11                   ` Pantelis Antoniou
2025-05-08 18:26                     ` David Hildenbrand
2025-05-08 18:47                     ` Peter Xu
2025-05-08 19:04                       ` David Hildenbrand
2025-05-08 19:06                         ` Jason Gunthorpe
2025-05-08 19:08                         ` Peter Xu
2025-05-08 19:12                           ` Jason Gunthorpe
2025-05-08 19:16                             ` David Hildenbrand
2025-05-08 19:39                             ` Peter Xu
2025-05-08 19:14                           ` David Hildenbrand
2025-05-08 19:19                             ` Jason Gunthorpe [this message]
2025-05-08 19:34                               ` David Hildenbrand
2025-05-09 16:30                                 ` Pantelis Antoniou
2025-05-09 17:11                                   ` John Hubbard
2025-05-09 17:33                                     ` Jason Gunthorpe
2025-05-09 17:50                                       ` Pantelis Antoniou
2025-05-09 18:39                                         ` Jason Gunthorpe
2025-05-08 19:11                     ` Jason Gunthorpe
2025-05-08 15:17       ` Pantelis Antoniou

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250508191920.GC138689@ziepe.ca \
    --to=jgg@ziepe.ca \
    --cc=akpm@linux-foundation.org \
    --cc=artem.k@samsung.com \
    --cc=c.briere@samsung.com \
    --cc=david@redhat.com \
    --cc=dhowells@redhat.com \
    --cc=jhubbard@nvidia.com \
    --cc=mm-commits@vger.kernel.org \
    --cc=p.antoniou@partner.samsung.com \
    --cc=peterx@redhat.com \
    --cc=wade.farnsworth@siemens.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.