From: Linus Torvalds <torvalds@linux-foundation.org>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: DRI <dri-devel@lists.freedesktop.org>,
"KVM list" <kvm@vger.kernel.org>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Dave Airlie" <airlied@linux.ie>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Jason Wang" <jasowang@redhat.com>,
"Radim Krčmář" <rkrcmar@redhat.com>,
"USB list" <linux-usb@vger.kernel.org>,
intel-gfx <intel-gfx@lists.freedesktop.org>,
"Alex Deucher" <alexander.deucher@amd.com>,
amd-gfx@lists.freedesktop.org,
intel-gvt-dev@lists.freedesktop.org,
"Christian König" <christian.koenig@amd.com>,
"Zhi Wang" <zhi.a.wang@intel.com>,
"Felipe Balbi" <balbi@kernel.org>
Subject: Re: Possible use_mm() mis-uses
Date: Wed, 22 Aug 2018 11:57:00 -0700 [thread overview]
Message-ID: <CA+55aFwbdtiPNNwL47TB0b7oS5qfRo7CMYKBA9FQ150AUWE0ew@mail.gmail.com> (raw)
In-Reply-To: <CA+55aFyava7Q=1ZPqjHhAs88UZsmk+DD2ot5r9_CvH+TTMswWQ@mail.gmail.com>
On Wed, Aug 22, 2018 at 11:33 AM Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> On Wed, Aug 22, 2018 at 11:21 AM Paolo Bonzini <pbonzini@redhat.com> wrote:
> >
> > Yes, KVM is correct but the i915 bits are at least fishy. It's probably
> > as simple as adding a mmget/mmput pair respectively in kvmgt_guest_init
> > and kvmgt_guest_exit, or maybe mmget_not_zero.
>
> Definitely mmget_not_zero(). If it was just mmgrab()'ed earlier, the
> actual page tables might already be gone.
Side note: we _could_ do the mmget_not_zero() inside use_mm() itself,
if we just knew that the mm was at least mmgrab()'ed correctly.
But for some of the uses, even that isn't clear. It's not entirely
obvious that the "struct mm_struct" exists _at_all_ at that point, and
that a mmget_not_zero() wouldn't just have some use-after-free access.
Again, independent lifetime rules could show that this isn't the case
(ie "exit_aio() is always called before exit_mmap(), and kill_ioctx()
takes care of it all"), but it would be good to have the users of
"use_mm()" actually verify their lifetime rules are correct and
enforced.
Because quite often, the lifetime rule might nbot be a mmu notifier or
aio_exit at all, but just be "oh, the user won't exit until this is
all done". But do you *control* the user? What if the user is buggy?
Linus
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2018-08-22 18:57 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-22 16:44 Possible use_mm() mis-uses Linus Torvalds
[not found] ` <CA+55aFz+Unj0zVNd79vpd41mtee3DV6tp_Ozr7WaZscqCQc9hQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-08-22 18:13 ` Christian König
2018-08-22 19:44 ` Felix Kuehling
2018-08-22 20:07 ` Linus Torvalds
2018-08-22 18:20 ` Paolo Bonzini
2018-08-22 18:33 ` Linus Torvalds
2018-08-22 18:57 ` Linus Torvalds [this message]
[not found] ` <e50816ec-cf5e-4848-93d0-dacc28f816fc-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-08-23 6:07 ` Zhenyu Wang
2018-08-23 8:38 ` Paolo Bonzini
2018-08-23 18:03 ` Linus Torvalds
2018-08-22 19:05 ` Zhi Wang
2018-08-22 19:37 ` Oded Gabbay
2018-08-22 19:58 ` Linus Torvalds
2018-08-22 20:01 ` Oded Gabbay
2018-08-22 20:05 ` ✗ Fi.CI.CHECKPATCH: warning for " Patchwork
2018-08-22 20:22 ` ✓ Fi.CI.BAT: success " Patchwork
2018-08-22 21:32 ` ✓ Fi.CI.IGT: " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+55aFwbdtiPNNwL47TB0b7oS5qfRo7CMYKBA9FQ150AUWE0ew@mail.gmail.com \
--to=torvalds@linux-foundation.org \
--cc=airlied@linux.ie \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=balbi@kernel.org \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gregkh@linuxfoundation.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=intel-gvt-dev@lists.freedesktop.org \
--cc=jasowang@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=zhi.a.wang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).