On Tue, Jan 08, 2019 at 11:19:19AM +0200, Gal Pressman wrote: > You're right, in that case (which shouldn't happen unless we have > some kind of userspace bug) It is security, if I can force the BAR pages to be re-used then I break the security model of the device from userspace. > This can be solved by freeing the PDs on dealloc_ucontext time which > will guarantee that no other process will get the same BAR pages. Depends on the implementation. What is coming next is 'shared pd' which will allow the PD HW object to be pointed at by multiple different ucontext's. (this is another reason why you can't really remove the mmap cookie on first use, as to make a correct driver for shared-PD the sharing flow will have to re-mmap the BAR pages, presumably.) The implementation of deferred destroy would need to very carefully handle this. Honestly, the HW implementation here sounds more like SRIOV where BAR based regions are kept apart from each other. Jason
