On Thu, Aug 15, 2019 at 10:28:21AM +0200, Christian König wrote:
Am 07.08.19 um 01:15 schrieb Jason Gunthorpe:
From: Jason Gunthorpe jgg@mellanox.com
radeon is using a device global hash table to track what mmu_notifiers have been registered on struct mm. This is better served with the new get/put scheme instead.
radeon has a bug where it was not blocking notifier release() until all the BO's had been invalidated. This could result in a use after free of pages the BOs. This is tied into a second bug where radeon left the notifiers running endlessly even once the interval tree became empty. This could result in a use after free with module unload.
Both are fixed by changing the lifetime model, the BOs exist in the interval tree with their natural lifetimes independent of the mm_struct lifetime using the get/put scheme. The release runs synchronously and just does invalidate_start across the entire interval tree to create the required DMA fence.
Additions to the interval tree after release are already impossible as only current->mm is used during the add.
Signed-off-by: Jason Gunthorpe jgg@mellanox.com
Acked-by: Christian König christian.koenig@amd.com
Thanks!
But I'm wondering if we shouldn't completely drop radeon userptr support. It's just to buggy,
I would not object :)
Jason