git.baikalelectronics.ru Git - kernel.git/commit

author	Jason Gunthorpe <jgg@mellanox.com>
	Tue, 6 Aug 2019 23:15:45 +0000 (20:15 -0300)
committer	Jason Gunthorpe <jgg@mellanox.com>
	Tue, 20 Aug 2019 12:35:02 +0000 (09:35 -0300)
commit	39426e8d814242df94b347115ce128c39b940e9d
tree	35136774a18efccc9bf441790e8f20112c1f2d06	tree \| snapshot
parent	25c7d13e8e61f5c277d2db272a862d83ed975fc5	commit \| diff

drm/radeon: use mmu_notifier_get/put for struct radeon_mn

radeon is using a device global hash table to track what mmu_notifiers
have been registered on struct mm. This is better served with the new
get/put scheme instead.

radeon has a bug where it was not blocking notifier release() until all
the BO's had been invalidated. This could result in a use after free of
pages the BOs. This is tied into a second bug where radeon left the
notifiers running endlessly even once the interval tree became
empty. This could result in a use after free with module unload.

Both are fixed by changing the lifetime model, the BOs exist in the
interval tree with their natural lifetimes independent of the mm_struct
lifetime using the get/put scheme. The release runs synchronously and just
does invalidate_start across the entire interval tree to create the
required DMA fence.

Additions to the interval tree after release are already impossible as
only current->mm is used during the add.

Link: https://lore.kernel.org/r/20190806231548.25242-9-jgg@ziepe.ca
Acked-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>

drivers/gpu/drm/radeon/radeon.h		diff \| blob \| history
drivers/gpu/drm/radeon/radeon_device.c		diff \| blob \| history
drivers/gpu/drm/radeon/radeon_drv.c		diff \| blob \| history
drivers/gpu/drm/radeon/radeon_mn.c		diff \| blob \| history