From: Jason Gunthorpe <jgg@nvidia.com>
To: Steven Sistare <steven.sistare@oracle.com>
Cc: kvm@vger.kernel.org, Alex Williamson <alex.williamson@redhat.com>,
Cornelia Huck <cohuck@redhat.com>,
Kevin Tian <kevin.tian@intel.com>
Subject: Re: [PATCH V5 2/7] vfio/type1: prevent locked_vm underflow
Date: Fri, 16 Dec 2022 13:07:20 -0400 [thread overview]
Message-ID: <Y5ylyIwCFF1u/RjW@nvidia.com> (raw)
In-Reply-To: <12c07702-ac7a-7e62-8bea-1f38055dfbf3@oracle.com>
On Fri, Dec 16, 2022 at 10:42:13AM -0500, Steven Sistare wrote:
> On 12/16/2022 9:09 AM, Jason Gunthorpe wrote:
> > On Thu, Dec 15, 2022 at 01:56:59PM -0800, Steve Sistare wrote:
> >> When a vfio container is preserved across exec, the task does not change,
> >> but it gets a new mm with locked_vm=0. If the user later unmaps a dma
> >> mapping, locked_vm underflows to a large unsigned value, and a subsequent
> >> dma map request fails with ENOMEM in __account_locked_vm.
> >>
> >> To avoid underflow, grab and save the mm at the time a dma is mapped.
> >> Use that mm when adjusting locked_vm, rather than re-acquiring the saved
> >> task's mm, which may have changed. If the saved mm is dead, do nothing.
> >>
> >> Signed-off-by: Steve Sistare <steven.sistare@oracle.com>
> >> ---
> >> drivers/vfio/vfio_iommu_type1.c | 17 ++++++++++-------
> >> 1 file changed, 10 insertions(+), 7 deletions(-)
> >
> > Add fixes lines and a CC stable
>
> This predates the update vaddr functionality, so AFAICT:
>
> Fixes: 73fa0d10d077 ("vfio: Type1 IOMMU implementation")
>
> I'll wait on cc'ing stable until alex has chimed in.
Yes
> > The subject should be more like 'vfio/typ1: Prevent corruption of mm->locked_vm via exec()'
>
> Underflow is a more precise description of the first corruption. How about:
>
> vfio/type1: Prevent underflow of locked_vm via exec()
sure
> >> @@ -1687,6 +1689,8 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu,
> >> get_task_struct(current->group_leader);
> >> dma->task = current->group_leader;
> >> dma->lock_cap = capable(CAP_IPC_LOCK);
> >> + dma->mm = dma->task->mm;
> >
> > This should be current->mm, current->group_leader->mm is not quite the
> > same thing (and maybe another bug, I'm not sure)
>
> When are they different -- when the leader is a zombie?
I'm actually not sure if they can be different, but if they are
different then group_leader is the wrong one. Better not to chance it
Jason
next prev parent reply other threads:[~2022-12-16 17:07 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-15 21:56 [PATCH V5 0/7] fixes for virtual address update Steve Sistare
2022-12-15 21:56 ` [PATCH V5 1/7] vfio/type1: exclude mdevs from VFIO_UPDATE_VADDR Steve Sistare
2022-12-16 14:10 ` Jason Gunthorpe
2022-12-15 21:56 ` [PATCH V5 2/7] vfio/type1: prevent locked_vm underflow Steve Sistare
2022-12-16 14:09 ` Jason Gunthorpe
2022-12-16 15:42 ` Steven Sistare
2022-12-16 16:10 ` Alex Williamson
2022-12-16 16:16 ` Steven Sistare
2022-12-16 16:33 ` Alex Williamson
2022-12-16 17:07 ` Jason Gunthorpe [this message]
2022-12-15 21:57 ` [PATCH V5 3/7] vfio/type1: count reserved pages Steve Sistare
2022-12-15 22:15 ` Steven Sistare
2022-12-15 21:57 ` [PATCH V5 4/7] vfio/type1: restore locked_vm Steve Sistare
2022-12-16 14:12 ` Jason Gunthorpe
2022-12-15 21:57 ` [PATCH V5 5/7] vfio/type1: revert "block on invalid vaddr" Steve Sistare
2022-12-15 21:57 ` [PATCH V5 6/7] vfio/type1: revert "implement notify callback" Steve Sistare
2022-12-15 21:57 ` [PATCH V5 7/7] vfio: revert "iommu driver " Steve Sistare
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y5ylyIwCFF1u/RjW@nvidia.com \
--to=jgg@nvidia.com \
--cc=alex.williamson@redhat.com \
--cc=cohuck@redhat.com \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=steven.sistare@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.