On Wed, 2019-11-27 at 17:00 -0800, Sean Christopherson wrote:
> > Sorry, I missed some information on above example. 
> > Suppose on that example that the reorder changes take place so that
> > kvm_put_kvm{,_no_destroy}() always happens after the last usage of kvm
> > (in the same syscall, let's say).
> 
> That can't happen, because the ioctl() holds a reference to KVM via its
> file descriptor for /dev/kvm, and ioctl() in turn prevents the fd from
> being closed.
> 
> > Before T1 and T2, refcount = 1;
> 
> This is what's impossible.  T1 must have an existing reference to get
> into the ioctl(), and that reference cannot be dropped until the ioctl()
> completes (and by completes I mean returns to userspace). Assuming no
> other bugs, i.e. T2 has its own reference, then refcount >= 2.
> 

Thanks for explaining, I think I get it now.

Best regards,
Leonardo Bras