On Thu, Feb 25, 2021 at 03:17:14PM -0400, Jason Gunthorpe wrote: > It is a use-after-free. Once the PFN is programmed into the IOMMU it > becomes completely divorced from the VMA. Remember there is no > pin_user_page here, so the PFN has no reference count. > > If the owner of the VMA decided to zap it or otherwise then the IOMMU > access keeps going - but now the owner thinks the PFN is free'd and > nobody is referencing it. Goes bad.
Sounds reasonable. Thanks, -- Peter Xu
