Re: [PATCH v3 hmm 08/11] drm/radeon: use mmu_notifier_get/put for struct radeon_mn
From: Jason Gunthorpe
Date: Thu Aug 15 2019 - 15:46:44 EST
On Thu, Aug 15, 2019 at 10:28:21AM +0200, Christian KÃnig wrote:
> Am 07.08.19 um 01:15 schrieb Jason Gunthorpe:
> > From: Jason Gunthorpe <jgg@xxxxxxxxxxxx>
> >
> > radeon is using a device global hash table to track what mmu_notifiers
> > have been registered on struct mm. This is better served with the new
> > get/put scheme instead.
> >
> > radeon has a bug where it was not blocking notifier release() until all
> > the BO's had been invalidated. This could result in a use after free of
> > pages the BOs. This is tied into a second bug where radeon left the
> > notifiers running endlessly even once the interval tree became
> > empty. This could result in a use after free with module unload.
> >
> > Both are fixed by changing the lifetime model, the BOs exist in the
> > interval tree with their natural lifetimes independent of the mm_struct
> > lifetime using the get/put scheme. The release runs synchronously and just
> > does invalidate_start across the entire interval tree to create the
> > required DMA fence.
> >
> > Additions to the interval tree after release are already impossible as
> > only current->mm is used during the add.
> >
> > Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxxxx>
>
> Acked-by: Christian KÃnig <christian.koenig@xxxxxxx>
Thanks!
> But I'm wondering if we shouldn't completely drop radeon userptr support.
> It's just to buggy,
I would not object :)
Jason