[openib-general] Re: [PATCH] Ref count user doorbell pages in mthca
Michael S. Tsirkin
mst at mellanox.co.il
Thu Jun 16 14:21:19 PDT 2005
Quoting r. Roland Dreier <roland at topspin.com>:
> Subject: Re: [PATCH] Ref count user doorbell pages in mthca
>
> Roland> This patch keeps a reference count on the doorbell pages that are
> Roland> mapped into userspace for direct verbs access. This prevents a
> Roland> buggy/malicious app from closing its context but keeping a
> Roland> doorbell page mapped, and then improperly accessing the doorbell
> Roland> page after it gets allocated again to a new process.
Is this something you've seen in practice?
Looking at code under mm/, it seems that when you mmap something, get_file
is called on the descriptor (and fput on close).
So it seems to me the driver's release wont get called until the app
actually unmaps the memory.
If thats right, there's no issue since the context wont get closed.
It seems to me if there are active vmas after the file is closed, we
have other issues like the driver may get unloaded while vmas
have pointer to mthca_open_vma.
--
MST
More information about the general
mailing list