13 Jan
2025
13 Jan
'25
7:12 p.m.
On Fri, Jan 10, 2025 at 01:58:21PM -0800, Nicolin Chen wrote:
Hmm, it seems that I haven't got your first narrative straight..
Would you mind elaborate "copy_to_user() can block while waiting on a page fault"? When would this happen?
copy_to_user() is a sleeping function that sleeps if the user memory is non-present. So userspace can cause copy_to_user to copy to anything, including memory that is non-present and will take along time to page fault in. Eg perhaps by abusing userfaultfd.
We should not allow userspace to globally DOS the iommu driver this way.
So do not hold locks that are also held by the HW event path across copy_to_user().
Jason