• Jason Gunthorpe's avatar
    drm/radeon: use mmu_notifier_get/put for struct radeon_mn · 534e5f84
    Jason Gunthorpe authored
    radeon is using a device global hash table to track what mmu_notifiers
    have been registered on struct mm. This is better served with the new
    get/put scheme instead.
    
    radeon has a bug where it was not blocking notifier release() until all
    the BO's had been invalidated. This could result in a use after free of
    pages the BOs. This is tied into a second bug where radeon left the
    notifiers running endlessly even once the interval tree became
    empty. This could result in a use after free with module unload.
    
    Both are fixed by changing the lifetime model, the BOs exist in the
    interval tree with their natural lifetimes independent of the mm_struct
    lifetime using the get/put scheme. The release runs synchronously and just
    does invalidate_start across the entire interval tree to create the
    required DMA fence.
    
    Additions to the interval tree after release are already impossible as
    only current->mm is used during the add.
    
    Link: https://lore.kernel.org/r/20190806231548.25242-9-jgg@ziepe.caAcked-by: default avatarChristian König <christian.koenig@amd.com>
    Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
    534e5f84
radeon_device.c 50.3 KB