On Thu, May 14, 2020 at 10:51:58AM -0600, Alex Williamson wrote:
> @@ -1450,6 +1467,10 @@ static int vfio_pci_zap_and_vma_lock(struct
> vfio_pci_device *vdev, bool try)
>
> zap_vma_ptes(vma, vma->vm_start,
> vma->vm_end - vma->vm_start);
> + mutex_unlock(&vdev->vma_lock);
> + up_read(&mm->mmap_sem);
> + vfio_invalidate_pfnmap_vma(vdev->group, vma);
> + goto again;
The vma pointer can't leave the read side of the mmap_sem
> diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
> index 4a4cb7cd86b2..62ba6bd8a486 100644
> +++ b/drivers/vfio/vfio_iommu_type1.c
> @@ -91,6 +91,7 @@ struct vfio_dma {
> bool lock_cap; /* capable(CAP_IPC_LOCK) */
> struct task_struct *task;
> struct rb_root pfn_list; /* Ex-user pinned pfn list */
> + struct vm_area_struct *pfnmap_vma;
This is also confusing, how does it prevent pfnmap_vma from becoming
freed?
Jason
