1. 20 Aug, 2019 6 commits
    • Christoph Hellwig's avatar
      mm: turn migrate_vma upside down · a7d1f22b
      Christoph Hellwig authored
      There isn't any good reason to pass callbacks to migrate_vma.  Instead
      we can just export the three steps done by this function to drivers and
      let them sequence the operation without callbacks.  This removes a lot
      of boilerplate code as-is, and will allow the drivers to drastically
      improve code flow and error handling further on.
      
      Link: https://lore.kernel.org/r/20190814075928.23766-2-hch@lst.deSigned-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarRalph Campbell <rcampbell@nvidia.com>
      Tested-by: default avatarRalph Campbell <rcampbell@nvidia.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      a7d1f22b
    • Jason Gunthorpe's avatar
      Merge 'notifier_get_put' into hmm.git · f4fb3b9c
      Jason Gunthorpe authored
      Jason Gunthorpe says:
      
      ====================
      Add mmu_notifier_get/put for managing mmu notifier registrations
      
      This series introduces a new registration flow for mmu_notifiers based on
      the idea that the user would like to get a single refcounted piece of
      memory for a mm, keyed to its use.
      
      For instance many users of mmu_notifiers use an interval tree or similar
      to dispatch notifications to some object. There are many objects but only
      one notifier subscription per mm holding the tree.
      
      Of the 12 places that call mmu_notifier_register:
       - 7 are maintaining some kind of obvious mapping of mm_struct to
         mmu_notifier registration, ie in some linked list or hash table. Of
         the 7 this series converts 4 (gru, hmm, RDMA, radeon)
      
       - 3 (hfi1, gntdev, vhost) are registering multiple notifiers, but each
         one immediately does some VA range filtering, ie with an interval tree.
         These would be better with a global subsystem-wide range filter and
         could convert to this API.
      
       - 2 (kvm, amd_iommu) are deliberately using a single mm at a time, and
         really can't use this API. One of the intel-svm's modes is also in this
         list
      
      The 3/7 unconverted drivers are:
       - intel-svm
         This driver tracks mm's in a global linked list 'global_svm_list'
         and would benefit from this API.
      
         Its flow is a bit complex, since it also wants a set of non-shared
         notifiers.
      
       - i915_gem_usrptr
         This driver tracks mm's in a per-device hash
         table (dev_priv->mm_structs), but only has an optional use of
         mmu_notifiers.  Since it still seems to need the hash table it is
         difficult to convert.
      
       - amdkfd/kfd_process
         This driver is using a global SRCU hash table to track mm's
      
         The control flow here is very complicated and the driver is relying on
         this hash table to be fast on the ioctl syscall path.
      
         It would definitely benefit, but only if the ioctl path didn't need to
         do the search so often.
      ====================
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      f4fb3b9c
    • Jason Gunthorpe's avatar
      drm/amdkfd: use mmu_notifier_put · 471f3902
      Jason Gunthorpe authored
      The sequence of mmu_notifier_unregister_no_release(),
      mmu_notifier_call_srcu() is identical to mmu_notifier_put() with the
      free_notifier callback.
      
      As this is the last user of those APIs, converting it means we can drop
      them.
      
      Link: https://lore.kernel.org/r/20190806231548.25242-11-jgg@ziepe.caReviewed-by: default avatarFelix Kuehling <Felix.Kuehling@amd.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      471f3902
    • Jason Gunthorpe's avatar
      drm/amdkfd: fix a use after free race with mmu_notifer unregister · 0029cab3
      Jason Gunthorpe authored
      When using mmu_notifer_unregister_no_release() the caller must ensure
      there is a SRCU synchronize before the mn memory is freed, otherwise use
      after free races are possible, for instance:
      
           CPU0                                      CPU1
                                            invalidate_range_start
                                               hlist_for_each_entry_rcu(..)
       mmu_notifier_unregister_no_release(&p->mn)
       kfree(mn)
                                            if (mn->ops->invalidate_range_end)
      
      The error unwind in amdkfd misses the SRCU synchronization.
      
      amdkfd keeps the kfd_process around until the mm is released, so split the
      flow to fully initialize the kfd_process and register it for find_process,
      and with the notifier. Past this point the kfd_process does not need to be
      cleaned up as it is fully ready.
      
      The final failable step does a vm_mmap() and does not seem to impact the
      kfd_process global state. Since it also cannot be undone (and already has
      problems with undo if it internally fails), it has to be last.
      
      This way we don't have to try to unwind the mmu_notifier_register() and
      avoid the problem with the SRCU.
      
      Along the way this also fixes various other error unwind bugs in the flow.
      
      Fixes: 45102048 ("amdkfd: Add process queue manager module")
      Link: https://lore.kernel.org/r/20190806231548.25242-10-jgg@ziepe.caReviewed-by: default avatarFelix Kuehling <Felix.Kuehling@amd.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      0029cab3
    • Jason Gunthorpe's avatar
      drm/radeon: use mmu_notifier_get/put for struct radeon_mn · 534e5f84
      Jason Gunthorpe authored
      radeon is using a device global hash table to track what mmu_notifiers
      have been registered on struct mm. This is better served with the new
      get/put scheme instead.
      
      radeon has a bug where it was not blocking notifier release() until all
      the BO's had been invalidated. This could result in a use after free of
      pages the BOs. This is tied into a second bug where radeon left the
      notifiers running endlessly even once the interval tree became
      empty. This could result in a use after free with module unload.
      
      Both are fixed by changing the lifetime model, the BOs exist in the
      interval tree with their natural lifetimes independent of the mm_struct
      lifetime using the get/put scheme. The release runs synchronously and just
      does invalidate_start across the entire interval tree to create the
      required DMA fence.
      
      Additions to the interval tree after release are already impossible as
      only current->mm is used during the add.
      
      Link: https://lore.kernel.org/r/20190806231548.25242-9-jgg@ziepe.caAcked-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      534e5f84
    • Jason Gunthorpe's avatar
      hmm: use mmu_notifier_get/put for 'struct hmm' · c7d8b782
      Jason Gunthorpe authored
      This is a significant simplification, it eliminates all the remaining
      'hmm' stuff in mm_struct, eliminates krefing along the critical notifier
      paths, and takes away all the ugly locking and abuse of page_table_lock.
      
      mmu_notifier_get() provides the single struct hmm per struct mm which
      eliminates mm->hmm.
      
      It also directly guarantees that no mmu_notifier op callback is callable
      while concurrent free is possible, this eliminates all the krefs inside
      the mmu_notifier callbacks.
      
      The remaining krefs in the range code were overly cautious, drivers are
      already not permitted to free the mirror while a range exists.
      
      Link: https://lore.kernel.org/r/20190806231548.25242-6-jgg@ziepe.caReviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarRalph Campbell <rcampbell@nvidia.com>
      Tested-by: default avatarRalph Campbell <rcampbell@nvidia.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      c7d8b782
  2. 16 Aug, 2019 4 commits
  3. 07 Aug, 2019 13 commits
  4. 26 Jul, 2019 6 commits
  5. 25 Jul, 2019 7 commits
  6. 21 Jul, 2019 4 commits