From: Kirti Wankhede <kwankhede@nvidia.com>
To: Jike Song <jike.song@intel.com>, <serge@hallyn.com>,
<alex.williamson@redhat.com>
Cc: <linux-security-module@vger.kernel.org>, <kvm@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <kraxel@redhat.com>
Subject: Re: [PATCH 2/2] vfio iommu type1: fix the testing of capability for remote task
Date: Thu, 22 Dec 2016 17:50:37 +0530 [thread overview]
Message-ID: <6beee519-15f3-1d4d-5ea7-20fa6ba56d1c@nvidia.com> (raw)
In-Reply-To: <1482336616-19252-3-git-send-email-jike.song@intel.com>
On 12/21/2016 9:40 PM, Jike Song wrote:
> Before the mdev enhancement type1 iommu used capable() to test the
> capability of current task; in the course of mdev development a
> new requirement, testing for another task other than current, was
> raised. ns_capable() was used for this purpose, however it still
> tests current, the only difference is, in a specified namespace.
>
> Fix it by using has_capability() instead, which tests the cap for
> specified task in init_user_ns, the same namespace as capable().
>
> Cc: Alex Williamson <alex.williamson@redhat.com>
> Cc: Kirti Wankhede <kwankhede@nvidia.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Jike Song <jike.song@intel.com>
> ---
> drivers/vfio/vfio_iommu_type1.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
> index f3726ba..b54aedf 100644
> --- a/drivers/vfio/vfio_iommu_type1.c
> +++ b/drivers/vfio/vfio_iommu_type1.c
> @@ -394,8 +394,7 @@ static long vfio_pin_pages_remote(struct vfio_dma *dma, unsigned long vaddr,
> long npage, unsigned long *pfn_base)
> {
> unsigned long limit;
> - bool lock_cap = ns_capable(task_active_pid_ns(dma->task)->user_ns,
> - CAP_IPC_LOCK);
> + bool lock_cap = has_capability(dma->task, CAP_IPC_LOCK);
Hi Jike,
Alex's patch already changes this to capable(), you need to resolve.
https://lkml.org/lkml/2016/12/20/490
You need to do only below change, which looks fine to me.
> struct mm_struct *mm;
> long ret, i = 0, lock_acct = 0;
> bool rsvd;
> @@ -491,8 +490,7 @@ static int vfio_pin_page_external(struct vfio_dma *dma, unsigned long vaddr,
> unsigned long *pfn_base, bool do_accounting)
> {
> unsigned long limit;
> - bool lock_cap = ns_capable(task_active_pid_ns(dma->task)->user_ns,
> - CAP_IPC_LOCK);
> + bool lock_cap = has_capability(dma->task, CAP_IPC_LOCK);
> struct mm_struct *mm;
> int ret;
> bool rsvd;
>
Thanks,
Kirti
next prev parent reply other threads:[~2016-12-22 12:20 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-21 16:10 [PATCH 0/2] test capability for remote task Jike Song
2016-12-21 16:10 ` [PATCH 1/2] capability: export has_capability Jike Song
2017-01-11 18:47 ` Alex Williamson
2017-01-12 0:56 ` Jike Song
2017-01-12 6:45 ` Serge E. Hallyn
2016-12-21 16:10 ` [PATCH 2/2] vfio iommu type1: fix the testing of capability for remote task Jike Song
2016-12-22 12:20 ` Kirti Wankhede [this message]
2016-12-23 2:36 ` Jike Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6beee519-15f3-1d4d-5ea7-20fa6ba56d1c@nvidia.com \
--to=kwankhede@nvidia.com \
--cc=alex.williamson@redhat.com \
--cc=jike.song@intel.com \
--cc=kraxel@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.