Al Viro <viro@xxxxxxxxxxxxxxxxxx> writes: > On Mon, Aug 28, 2017 at 02:38:37PM +1000, Paul Mackerras wrote: >> On Sun, Aug 27, 2017 at 10:02:20PM +0100, Al Viro wrote: >> > On Wed, Aug 23, 2017 at 04:06:24PM +1000, Paul Mackerras wrote: >> > >> > > It seems to me that it would be better to do the anon_inode_getfd() >> > > call before the kvm_get_kvm() call, and go to the fail label if it >> > > fails. >> > >> > And what happens if another thread does close() on the (guessed) fd? >> >> Chaos ensues, but mostly because we don't have proper mutual exclusion >> on the modifications to the list. I'll add a mutex_lock/unlock to >> kvm_spapr_tce_release() and move the anon_inode_getfd() call inside >> the mutex. >> >> It looks like the other possible uses of the fd (mmap, and passing it >> as a parameter to the KVM_DEV_VFIO_GROUP_SET_SPAPR_TCE ioctl on a KVM >> device fd) are safe. > > Frankly, it's a lot saner to have "no failure points past anon_inode_getfd()" > policy... Actually I thought that was a hard rule. But I don't see it documented or mentioned anywhere so I'm not sure now why I thought that. cheers
