On 1/16/25 2:30 PM, Halil Pasic wrote:
On Thu, 16 Jan 2025 10:38:41 -0500
Anthony Krowiak <akrowiak@xxxxxxxxxxxxx> wrote:
Alex, does the above answer your question on what guards against UAF (the
short answer is: matrix_dev->mdevs_lock)?
I agree that the matrix_dev->mdevs_lock does prevent changes to
matrix_mdev->cfg_chg_trigger while it is being accessed by the
vfio_ap device driver. My confusion arises from my interpretation of
Alex's question; it seemed to me that he was talking its use outside
of the vfio_ap driver and how to guard against that.
BTW the key for understanding how we are protected form something
like userspace closing he eventfd is that eventfd_ctx_fdget()
takes a reference to the internal eventfd context, which makes
sure userspace can not shoot us in the foot and the context
remains to be safe to use until we have done our put. Generally
userspace is responsible for not shooting itself in the foot,
so how QEMU uses its end is mostly QEMUs problem in my understanding.
I started digging through that code to try to find the reference to the
eventfd and whether/how it is protected, but got lost in the
twists and turns. Thanks for the info.
Regards,
Halil
