On Thu, 2019-11-28 at 09:57 +1100, Paul Mackerras wrote: > There isn't a potential use-after-free here. We are relying on the > property that the release function (kvm_vm_release) cannot be called > in parallel with this function. The reason is that this function > (kvm_vm_ioctl_create_spapr_tce) is handling an ioctl on a kvm VM file > descriptor. That means that a userspace process has the file > descriptor still open. The code that implements the close() system > call makes sure that no thread is still executing inside any system > call that is using the same file descriptor before calling the file > descriptor's release function (in this case, kvm_vm_release). That > means that this kvm_put_kvm() call here cannot make the reference > count go to zero. That was very informative. A lot of things are clear to me now. Thanks for explaining this Paul. Best regards, Leonardo
Attachment:
signature.asc
Description: This is a digitally signed message part
