On Wed, Sep 21, 2022 at 05:02:37PM -0700, Dan Williams wrote: > The scenario I cannot convince myself is impossible is a driver that > goes into interruptible sleep while operating on a page it got from > get_user_pages(). Where the eventual driver completion path will clean > up the pinned page, but the process that launched the I/O has already > exited and dropped all the inode references it was holding. That's not > buggy on its face since the driver still cleans up everything it was > handed, but if this type of disconnect happens (closing mappings and > files while I/O is in-flight) then iput_final() needs to check. I don't think you can make this argument. The inode you are talking about is held in the vma of the mm_struct, it is not just a process exit or interrupted sleep that could cause the vma to drop the inode reference, but any concurrent thread doing memunmap/close can destroy the VMA, close the FD and release the inode. So userspace can certainly create races where something has safely done GUP/PUP !FOLL_LONGTERM but the VMA that sourced the page is destroyed while the thread is still processing the post-GUP work. Jason
