From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Gunthorpe Subject: Re: [PATCH v2 hmm 01/11] mm/hmm: fix use after free with struct hmm in the mmu notifiers Date: Sat, 8 Jun 2019 08:33:05 -0300 Message-ID: <20190608113305.GA12419@ziepe.ca> References: <20190606184438.31646-1-jgg@ziepe.ca> <20190606184438.31646-2-jgg@ziepe.ca> <20190608084948.GA32185@infradead.org> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Content-Disposition: inline In-Reply-To: <20190608084948.GA32185@infradead.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: Christoph Hellwig Cc: Andrea Arcangeli , Ralph Campbell , linux-rdma@vger.kernel.org, John Hubbard , Felix.Kuehling@amd.com, dri-devel@lists.freedesktop.org, linux-mm@kvack.org, Jerome Glisse , amd-gfx@lists.freedesktop.org List-Id: amd-gfx.lists.freedesktop.org T24gU2F0LCBKdW4gMDgsIDIwMTkgYXQgMDE6NDk6NDhBTSAtMDcwMCwgQ2hyaXN0b3BoIEhlbGx3 aWcgd3JvdGU6Cj4gSSBzdGlsbCB0aGluayBzcnVjdCBobW0gc2hvdWxkIGRpZS4gIFdlIGFscmVh ZHkgaGF2ZSBhIHN0cnVjdHVyZSB1c2VkCj4gZm9yIGFkZGl0aW9uYWwgaW5mb3JtYXRpb24gZm9y IGRyaXZlcnMgaGF2aW5nIGNyYXpseSB0aWdodCBpbnRlZ3JhdGlvbgo+IGludG8gdGhlIFZNLCBh bmQgaXQgaXMgY2FsbGVkIHN0cnVjdCBtbXVfbm90aWZpZXJfbW0uICBXZSByZWFsbHkgbmVlZAo+ IHRvIHJldXNlIHRoYXQgaW50ZWFkIG9mIGR1cGxpY2F0aW5nIGl0IGJhZGx5LgoKUHJvYmFibHku IEJ1dCBhdCBsZWFzdCBpbiBPRFAgd2UgbmVlZGVkIHNvbWV0aGluZyB2ZXJ5IHNpbWlsYXIgdG8K J3N0cnVjdCBobW0nIHRvIG1ha2Ugb3VyIG1tdSBub3RpZmllciBpbXBsZW1lbnRhdGlvbiB3b3Jr LgoKVGhlIG1tdSBub3RpZmllciBhcGkgcmVhbGx5IGxlbmRzIGl0c2VsZiB0byBoYXZpbmcgYSBw ZXItbW0gc3RydWN0dXJlCmluIHRoZSBkcml2ZXIgdG8gaG9sZCB0aGUgJ3N0cnVjdCBtbXVfbm90 aWZpZXInLi4KCkkgdGhpbmsgSSBzZWUgb3RoZXIgZHJpdmVycyBhcmUgZG9pbmcgdGhpbmdzIGxp a2UgYXNzdW1pbmcgdGhhdCB0aGVyZQppcyBvbmx5IG9uZSBtbSBpbiB0aGVpciB3b3JsZCAoZGVz cGl0ZSBiZWluZyBGRCBiYXNlZCwgc28gdGhpcyBpcyBub3QKcmVhbGx5IGd1YXJlbnRlZWQpCgpT bywgbXkgZmlyc3QgYXR0ZW1wdCB3b3VsZCBiZSBhbiBhcGkgc29tZXRoaW5nIGxpa2U6CgogICBw cml2ID0gbW11X25vdGlmaWZlcl9hdHRhY2hfbW0ob3BzLCBjdXJyZW50LT5tbSwgc2l6ZW9mKG15 X3ByaXYpKQogICBtbXVfbm90aWZpZXJfZGV0YWNoX21tKHByaXYpOwoKIG9wcy0+aW52YWxpZGF0 ZV9zdGFydChzdHJ1Y3QgbW11X25vdGlmaWZlciAqbW4pOgogICBzdHJ1Y3QgcCAqcHJpdiA9IG1t dV9ub3RpZmllcl9wcml2KG1uKTsKClN1Y2ggdGhhdAogLSBUaGVyZSBpcyBvbmx5IG9uZSBwcml2 IHBlciBtbQogLSBBbGwgdGhlIHNyY3Ugc3R1ZmYgaXMgaGFuZGxlZCBpbnNpZGUgbW11IG5vdGlm aWVyCiAtIEl0IGlzIHJlZmVyZW5jZSBjb3VudGVkLCBzbyBvcHMgY2FuIGJlIGF0dGFjaGVkIG11 bHRpcGxlIHRpbWVzIHRvCiAgIHRoZSBzYW1lIG1tCgpUaGVuIG9kcCdzIHBlcl9tbSwgYW5kIHN0 cnVjdCBobW0gKGlmIHdlIGtlZXAgaXQgYXQgYWxsKSBpcyBzaW1wbHkgYQoncHJpdicgaW4gdGhl IGFib3ZlLgoKSSB3YXMgdGhpbmtpbmcgb2YgbG9va2luZyBhdCB0aGlzIHN0dWZmIG5leHQsIG9u Y2UgdGhpcyBzZXJpZXMgaXMKZG9uZS4KCkphc29uCl9fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fCmRyaS1kZXZlbCBtYWlsaW5nIGxpc3QKZHJpLWRldmVsQGxp c3RzLmZyZWVkZXNrdG9wLm9yZwpodHRwczovL2xpc3RzLmZyZWVkZXNrdG9wLm9yZy9tYWlsbWFu L2xpc3RpbmZvL2RyaS1kZXZlbA== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 68A26C28CC5 for ; Sat, 8 Jun 2019 11:33:10 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id E3E092146E for ; Sat, 8 Jun 2019 11:33:09 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=ziepe.ca header.i=@ziepe.ca header.b="cQto6lY1" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E3E092146E Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ziepe.ca Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 46F366B026A; Sat, 8 Jun 2019 07:33:09 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 421326B026C; Sat, 8 Jun 2019 07:33:09 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 30FC86B026D; Sat, 8 Jun 2019 07:33:09 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com [209.85.160.197]) by kanga.kvack.org (Postfix) with ESMTP id 113C46B026A for ; Sat, 8 Jun 2019 07:33:09 -0400 (EDT) Received: by mail-qt1-f197.google.com with SMTP id g30so4285311qtm.17 for ; Sat, 08 Jun 2019 04:33:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:date:from:to:cc:subject :message-id:references:mime-version:content-disposition:in-reply-to :user-agent; bh=2lXGspEHCJbsk8rcUX58kNgJSDj9yX2lNCrXRKPLPfY=; b=BkwD+wId9v9emK3vUF8EumSj5C7dCcAltkRs3JfqTPPjroP1dnNqtoXOuw7yvH71OG +Rh0Iq8mewEdyLnymajYcPeWvnL8dL20Sp89rBcwefMQg4T8yuR7AYOV8t4jfYIiT3VP ogBddIKpOCbWiMuAOVXQR9DIOtKkdmucSj2zhnPson19SCuM+JdKUnCpm+ZiptOZJXGF QJ4WQGyZY12nQNlvSuNPFaVdTQpLAIZLkaD48czzZDCrKPCM2kgTFHjjWqRammu9479o vO8+yosxeQmvWR2/9tB9Z/zVxLFxYoUXz5Ex7C9IN9CmGVnlCnoc6la5pLIC9WLZcvC5 35bg== X-Gm-Message-State: APjAAAUt7cdDpRD/Iqf0IjIulo8/KhzZJodbl2iCCHCAmnR2AEmkNkPQ SXnbgMUNnoyxx3uRjS+f3FCqDVfPsOFdO93J8w3VbciHAqH+vzISEEt/oOvNkWSO+1wMN0agy1t Q0b+ZAOtFr8RZIilpLB957kXgyQVY9dM8cCADSzlvVAC6Ii79JEsq/rPAjPm5tU152g== X-Received: by 2002:aed:23ac:: with SMTP id j41mr24055188qtc.200.1559993588856; Sat, 08 Jun 2019 04:33:08 -0700 (PDT) X-Received: by 2002:aed:23ac:: with SMTP id j41mr24055114qtc.200.1559993587701; Sat, 08 Jun 2019 04:33:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559993587; cv=none; d=google.com; s=arc-20160816; b=um1+WSQfiveLFe3F6ONDY5WcOtqf4+w7StIAl5pmfbPDbWYYL/i4HqYVCNy96a+sBP vQcpL5DLj9elscYfQB6qstJLfFkrA1mMkYgUDAXST6DCSKRomOYtldcBlWBWdMtQq27H ZPhE1Y6rgdtBiFHqMZUhxRgANU6FDmPLGI7DQnXZ/aeQkdDAHmtUDSUZa4D1G/A+KnMW bWkgy0i7Xruxak90ka5s60Uu5BA51SMWKcHdIqLj5OkrRJbZ+mplkcvwVVGlLjDZ9Dog vWrX9O6NuJB1qC8F5fTD3KQSa/Ffa3kUu/1/AQrOlT1I+gnAsbvO6Jc88I+Idt3CuSq5 2AEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:mime-version:references :message-id:subject:cc:to:from:date:dkim-signature; bh=2lXGspEHCJbsk8rcUX58kNgJSDj9yX2lNCrXRKPLPfY=; b=o5rcpVhDYLxUWybokKCA1VjdHbsh6lB+cge71zusmAxpM5S6M1USKHMnA8uOiEqqTk v2afsYvt2CLipvNdTyknhgIHNFzpw5Ud/3fTUve0QHd/4msy/BWzMfb3vtOZVjOAmQPO KxDqCPZs1Rpxqvi8dyRLhBvlNlgEjTGpnA9GRI77ndqN/VQqOv0/g7/X0RIMR+zF/xqx Prv+l5jqsDaiejftRGV6bTVQ58909cKvH6m02YarPi7Dv411sFNA/NzFXezt4trrrkEj n1+TgF5zwuzLq2/kT5H+DfsfA09ihDKLpQexhgzSoY1N9I3jZRgCJk7nvLSZn07z64Es nSXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b=cQto6lY1; spf=pass (google.com: domain of jgg@ziepe.ca designates 209.85.220.65 as permitted sender) smtp.mailfrom=jgg@ziepe.ca Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id e32sor3871082qvd.40.2019.06.08.04.33.07 for (Google Transport Security); Sat, 08 Jun 2019 04:33:07 -0700 (PDT) Received-SPF: pass (google.com: domain of jgg@ziepe.ca designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65; Authentication-Results: mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b=cQto6lY1; spf=pass (google.com: domain of jgg@ziepe.ca designates 209.85.220.65 as permitted sender) smtp.mailfrom=jgg@ziepe.ca DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ziepe.ca; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=2lXGspEHCJbsk8rcUX58kNgJSDj9yX2lNCrXRKPLPfY=; b=cQto6lY11nB7CtyFVsb4EWl/wSLEbWjYy53473tDxhVa+M8kUBtzMhsyB4GzDkwDxV q+kMV3+bqlucZoGG+l3NUydWUmA01Kdk2/AmaOWjogGX9cZ5VHeo4NXfNrqxa9973eio jEWacea/Hw5cMfA8v2U6v7fZH/FxhaA8zRa/sqGqp9oG8OkETGNmhyB3dR63HPNpwJq3 bTef+d3XCAUCKnqZ2kfsu5R+6/Una6mdshi9VfoOWhgkoKLdvmGi1Faluq9FD8FSmrwe Lml1z8nOCaJ2hrr3JC/PpvYRD94dpvVxrBx2HEhfbkPIJl6PJI/3BtMNPyc9TsLDPXIT qE0Q== X-Google-Smtp-Source: APXvYqxyYPohAHdX/cPPDfW1JlnojtSPLPS5vSeQSfnXomKNh388kBmPHyLX8ufWHVYbMbkJEo8bCw== X-Received: by 2002:a0c:c164:: with SMTP id i33mr30155410qvh.37.1559993587190; Sat, 08 Jun 2019 04:33:07 -0700 (PDT) Received: from ziepe.ca (hlfxns017vw-156-34-55-100.dhcp-dynamic.fibreop.ns.bellaliant.net. [156.34.55.100]) by smtp.gmail.com with ESMTPSA id i55sm3386912qtc.21.2019.06.08.04.33.05 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 08 Jun 2019 04:33:06 -0700 (PDT) Received: from jgg by mlx.ziepe.ca with local (Exim 4.90_1) (envelope-from ) id 1hZZar-0003rc-2C; Sat, 08 Jun 2019 08:33:05 -0300 Date: Sat, 8 Jun 2019 08:33:05 -0300 From: Jason Gunthorpe To: Christoph Hellwig Cc: Jerome Glisse , Ralph Campbell , John Hubbard , Felix.Kuehling@amd.com, linux-rdma@vger.kernel.org, linux-mm@kvack.org, Andrea Arcangeli , dri-devel@lists.freedesktop.org, amd-gfx@lists.freedesktop.org Subject: Re: [PATCH v2 hmm 01/11] mm/hmm: fix use after free with struct hmm in the mmu notifiers Message-ID: <20190608113305.GA12419@ziepe.ca> References: <20190606184438.31646-1-jgg@ziepe.ca> <20190606184438.31646-2-jgg@ziepe.ca> <20190608084948.GA32185@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190608084948.GA32185@infradead.org> User-Agent: Mutt/1.9.4 (2018-02-28) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Sat, Jun 08, 2019 at 01:49:48AM -0700, Christoph Hellwig wrote: > I still think sruct hmm should die. We already have a structure used > for additional information for drivers having crazly tight integration > into the VM, and it is called struct mmu_notifier_mm. We really need > to reuse that intead of duplicating it badly. Probably. But at least in ODP we needed something very similar to 'struct hmm' to make our mmu notifier implementation work. The mmu notifier api really lends itself to having a per-mm structure in the driver to hold the 'struct mmu_notifier'.. I think I see other drivers are doing things like assuming that there is only one mm in their world (despite being FD based, so this is not really guarenteed) So, my first attempt would be an api something like: priv = mmu_notififer_attach_mm(ops, current->mm, sizeof(my_priv)) mmu_notifier_detach_mm(priv); ops->invalidate_start(struct mmu_notififer *mn): struct p *priv = mmu_notifier_priv(mn); Such that - There is only one priv per mm - All the srcu stuff is handled inside mmu notifier - It is reference counted, so ops can be attached multiple times to the same mm Then odp's per_mm, and struct hmm (if we keep it at all) is simply a 'priv' in the above. I was thinking of looking at this stuff next, once this series is done. Jason