On Thu, Aug 15, 2019 at 1:41 PM Jason Gunthorpe jgg@mellanox.com wrote:
On Thu, Aug 15, 2019 at 04:33:06PM -0400, Jerome Glisse wrote:
So nor HMM nor driver should dereference the struct page (i do not think any iommu driver would either),
Er, they do technically deref the struct page:
nouveau_dmem_convert_pfn(struct nouveau_drm *drm, struct hmm_range *range) struct page *page; page = hmm_pfn_to_page(range, range->pfns[i]); if (!nouveau_dmem_page(drm, page)) {
nouveau_dmem_page(struct nouveau_drm *drm, struct page *page) { return is_device_private_page(page) && drm->dmem == page_to_dmem(page)
Which does touch 'page->pgmap'
Is this OK without having a get_dev_pagemap() ?
Noting that the collision-retry scheme doesn't protect anything here as we can have a concurrent invalidation while doing the above deref.
As long take_driver_page_table_lock() in Jerome's flow can replace percpu_ref_tryget_live() on the pagemap reference. It seems nouveau_dmem_convert_pfn() happens after:
mutex_lock(&svmm->mutex); if (!nouveau_range_done(&range)) {
...so I would expect that to be functionally equivalent to validating the reference count.