From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Philip Yang <Philip.Yang@amd.com>,
Felix Kuehling <felix.kuehling@amd.com>,
Alex Deucher <alexander.deucher@amd.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.6 48/76] drm/amdkfd: Dont call mmput from MMU notifier callback
Date: Wed, 30 Jul 2025 11:35:41 +0200 [thread overview]
Message-ID: <20250730093228.711398869@linuxfoundation.org> (raw)
In-Reply-To: <20250730093226.854413920@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
commit cf234231fcbc7d391e2135b9518613218cc5347f upstream.
If the process is exiting, the mmput inside mmu notifier callback from
compactd or fork or numa balancing could release the last reference
of mm struct to call exit_mmap and free_pgtable, this triggers deadlock
with below backtrace.
The deadlock will leak kfd process as mmu notifier release is not called
and cause VRAM leaking.
The fix is to take mm reference mmget_non_zero when adding prange to the
deferred list to pair with mmput in deferred list work.
If prange split and add into pchild list, the pchild work_item.mm is not
used, so remove the mm parameter from svm_range_unmap_split and
svm_range_add_child.
The backtrace of hung task:
INFO: task python:348105 blocked for more than 64512 seconds.
Call Trace:
__schedule+0x1c3/0x550
schedule+0x46/0xb0
rwsem_down_write_slowpath+0x24b/0x4c0
unlink_anon_vmas+0xb1/0x1c0
free_pgtables+0xa9/0x130
exit_mmap+0xbc/0x1a0
mmput+0x5a/0x140
svm_range_cpu_invalidate_pagetables+0x2b/0x40 [amdgpu]
mn_itree_invalidate+0x72/0xc0
__mmu_notifier_invalidate_range_start+0x48/0x60
try_to_unmap_one+0x10fa/0x1400
rmap_walk_anon+0x196/0x460
try_to_unmap+0xbb/0x210
migrate_page_unmap+0x54d/0x7e0
migrate_pages_batch+0x1c3/0xae0
migrate_pages_sync+0x98/0x240
migrate_pages+0x25c/0x520
compact_zone+0x29d/0x590
compact_zone_order+0xb6/0xf0
try_to_compact_pages+0xbe/0x220
__alloc_pages_direct_compact+0x96/0x1a0
__alloc_pages_slowpath+0x410/0x930
__alloc_pages_nodemask+0x3a9/0x3e0
do_huge_pmd_anonymous_page+0xd7/0x3e0
__handle_mm_fault+0x5e3/0x5f0
handle_mm_fault+0xf7/0x2e0
hmm_vma_fault.isra.0+0x4d/0xa0
walk_pmd_range.isra.0+0xa8/0x310
walk_pud_range+0x167/0x240
walk_pgd_range+0x55/0x100
__walk_page_range+0x87/0x90
walk_page_range+0xf6/0x160
hmm_range_fault+0x4f/0x90
amdgpu_hmm_range_get_pages+0x123/0x230 [amdgpu]
amdgpu_ttm_tt_get_user_pages+0xb1/0x150 [amdgpu]
init_user_pages+0xb1/0x2a0 [amdgpu]
amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543/0x7d0 [amdgpu]
kfd_ioctl_alloc_memory_of_gpu+0x24c/0x4e0 [amdgpu]
kfd_ioctl+0x29d/0x500 [amdgpu]
Fixes: fa582c6f3684 ("drm/amdkfd: Use mmget_not_zero in MMU notifier")
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7)
Cc: stable@vger.kernel.org
[ updated additional svm_range_add_child calls in svm_range_split_by_granularity to remove mm parameter ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 47 ++++++++++++++++-------------------
1 file changed, 22 insertions(+), 25 deletions(-)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
@@ -1130,13 +1130,12 @@ svm_range_split_head(struct svm_range *p
}
static void
-svm_range_add_child(struct svm_range *prange, struct mm_struct *mm,
- struct svm_range *pchild, enum svm_work_list_ops op)
+svm_range_add_child(struct svm_range *prange, struct svm_range *pchild, enum svm_work_list_ops op)
{
pr_debug("add child 0x%p [0x%lx 0x%lx] to prange 0x%p child list %d\n",
pchild, pchild->start, pchild->last, prange, op);
- pchild->work_item.mm = mm;
+ pchild->work_item.mm = NULL;
pchild->work_item.op = op;
list_add_tail(&pchild->child_list, &prange->child_list);
}
@@ -1182,14 +1181,14 @@ svm_range_split_by_granularity(struct kf
r = svm_range_split(prange, start, prange->last, &head);
if (r)
return r;
- svm_range_add_child(parent, mm, head, SVM_OP_ADD_RANGE);
+ svm_range_add_child(parent, head, SVM_OP_ADD_RANGE);
}
if (last < prange->last) {
r = svm_range_split(prange, prange->start, last, &tail);
if (r)
return r;
- svm_range_add_child(parent, mm, tail, SVM_OP_ADD_RANGE);
+ svm_range_add_child(parent, tail, SVM_OP_ADD_RANGE);
}
/* xnack on, update mapping on GPUs with ACCESS_IN_PLACE */
@@ -2393,15 +2392,17 @@ svm_range_add_list_work(struct svm_range
prange->work_item.op != SVM_OP_UNMAP_RANGE)
prange->work_item.op = op;
} else {
- prange->work_item.op = op;
-
- /* Pairs with mmput in deferred_list_work */
- mmget(mm);
- prange->work_item.mm = mm;
- list_add_tail(&prange->deferred_list,
- &prange->svms->deferred_range_list);
- pr_debug("add prange 0x%p [0x%lx 0x%lx] to work list op %d\n",
- prange, prange->start, prange->last, op);
+ /* Pairs with mmput in deferred_list_work.
+ * If process is exiting and mm is gone, don't update mmu notifier.
+ */
+ if (mmget_not_zero(mm)) {
+ prange->work_item.mm = mm;
+ prange->work_item.op = op;
+ list_add_tail(&prange->deferred_list,
+ &prange->svms->deferred_range_list);
+ pr_debug("add prange 0x%p [0x%lx 0x%lx] to work list op %d\n",
+ prange, prange->start, prange->last, op);
+ }
}
spin_unlock(&svms->deferred_list_lock);
}
@@ -2415,8 +2416,7 @@ void schedule_deferred_list_work(struct
}
static void
-svm_range_unmap_split(struct mm_struct *mm, struct svm_range *parent,
- struct svm_range *prange, unsigned long start,
+svm_range_unmap_split(struct svm_range *parent, struct svm_range *prange, unsigned long start,
unsigned long last)
{
struct svm_range *head;
@@ -2437,12 +2437,12 @@ svm_range_unmap_split(struct mm_struct *
svm_range_split(tail, last + 1, tail->last, &head);
if (head != prange && tail != prange) {
- svm_range_add_child(parent, mm, head, SVM_OP_UNMAP_RANGE);
- svm_range_add_child(parent, mm, tail, SVM_OP_ADD_RANGE);
+ svm_range_add_child(parent, head, SVM_OP_UNMAP_RANGE);
+ svm_range_add_child(parent, tail, SVM_OP_ADD_RANGE);
} else if (tail != prange) {
- svm_range_add_child(parent, mm, tail, SVM_OP_UNMAP_RANGE);
+ svm_range_add_child(parent, tail, SVM_OP_UNMAP_RANGE);
} else if (head != prange) {
- svm_range_add_child(parent, mm, head, SVM_OP_UNMAP_RANGE);
+ svm_range_add_child(parent, head, SVM_OP_UNMAP_RANGE);
} else if (parent != prange) {
prange->work_item.op = SVM_OP_UNMAP_RANGE;
}
@@ -2481,14 +2481,14 @@ svm_range_unmap_from_cpu(struct mm_struc
l = min(last, pchild->last);
if (l >= s)
svm_range_unmap_from_gpus(pchild, s, l, trigger);
- svm_range_unmap_split(mm, prange, pchild, start, last);
+ svm_range_unmap_split(prange, pchild, start, last);
mutex_unlock(&pchild->lock);
}
s = max(start, prange->start);
l = min(last, prange->last);
if (l >= s)
svm_range_unmap_from_gpus(prange, s, l, trigger);
- svm_range_unmap_split(mm, prange, prange, start, last);
+ svm_range_unmap_split(prange, prange, start, last);
if (unmap_parent)
svm_range_add_list_work(svms, prange, mm, SVM_OP_UNMAP_RANGE);
@@ -2531,8 +2531,6 @@ svm_range_cpu_invalidate_pagetables(stru
if (range->event == MMU_NOTIFY_RELEASE)
return true;
- if (!mmget_not_zero(mni->mm))
- return true;
start = mni->interval_tree.start;
last = mni->interval_tree.last;
@@ -2559,7 +2557,6 @@ svm_range_cpu_invalidate_pagetables(stru
}
svm_range_unlock(prange);
- mmput(mni->mm);
return true;
}
next prev parent reply other threads:[~2025-07-30 9:39 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-30 9:34 [PATCH 6.6 00/76] 6.6.101-rc1 review Greg Kroah-Hartman
2025-07-30 9:34 ` [PATCH 6.6 01/76] Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT Greg Kroah-Hartman
2025-07-30 9:34 ` [PATCH 6.6 02/76] virtio_ring: Fix error reporting in virtqueue_resize Greg Kroah-Hartman
2025-07-30 9:34 ` [PATCH 6.6 03/76] regulator: core: fix NULL dereference on unbind due to stale coupling data Greg Kroah-Hartman
2025-07-30 9:34 ` [PATCH 6.6 04/76] RDMA/core: Rate limit GID cache warning messages Greg Kroah-Hartman
2025-07-30 9:34 ` [PATCH 6.6 05/76] interconnect: qcom: sc7280: Add missing num_links to xm_pcie3_1 node Greg Kroah-Hartman
2025-07-30 9:34 ` [PATCH 6.6 06/76] iio: adc: ad7949: use spi_is_bpw_supported() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 07/76] regmap: fix potential memory leak of regmap_bus Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 08/76] x86/hyperv: Fix usage of cpu_online_mask to get valid cpu Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 09/76] platform/x86: Fix initialization order for firmware_attributes_class Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 10/76] staging: vchiq_arm: Make vchiq_shutdown never fail Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 11/76] xfrm: interface: fix use-after-free after changing collect_md xfrm interface Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 12/76] net/mlx5: Fix memory leak in cmd_exec() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 13/76] net/mlx5: E-Switch, Fix peer miss rules to use peer eswitch Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 14/76] i40e: Add rx_missed_errors for buffer exhaustion Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 15/76] i40e: report VF tx_dropped with tx_errors instead of tx_discards Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 16/76] i40e: When removing VF MAC filters, only check PF-set MAC Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 17/76] net: appletalk: Fix use-after-free in AARP proxy probe Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 18/76] net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 19/76] can: dev: can_restart(): reverse logic to remove need for goto Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 20/76] can: dev: can_restart(): move debug message and stats after successful restart Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 21/76] can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 22/76] drm/bridge: ti-sn65dsi86: Remove extra semicolon in ti_sn_bridge_probe() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 23/76] s390/ism: fix concurrency management in ism_cmd() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 24/76] net: hns3: fix concurrent setting vlan filter issue Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 25/76] net: hns3: disable interrupt when ptp init failed Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 26/76] net: hns3: fixed vf get max channels bug Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 27/76] net: hns3: default enable tx bounce buffer when smmu enabled Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 28/76] platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 29/76] i2c: qup: jump out of the loop in case of timeout Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 30/76] i2c: tegra: Fix reset error handling with ACPI Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 31/76] i2c: virtio: Avoid hang by using interruptible completion wait Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 32/76] bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 33/76] sprintf.h requires stdarg.h Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 34/76] ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 35/76] arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 36/76] dpaa2-eth: Fix device reference count leak in MAC endpoint handling Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 37/76] dpaa2-switch: " Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 38/76] e1000e: disregard NVM checksum on tgp when valid checksum bit is not set Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 39/76] e1000e: ignore uninitialized checksum word on tgp Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 40/76] gve: Fix stuck TX queue for DQ queue format Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 41/76] ice: Fix a null pointer dereference in ice_copy_and_init_pkg() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 42/76] kasan: use vmalloc_dump_obj() for vmalloc error reports Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 43/76] nilfs2: reject invalid file types when reading inodes Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 44/76] resource: fix false warning in __request_region() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 45/76] selftests: mptcp: connect: also cover alt modes Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 46/76] selftests: mptcp: connect: also cover checksum Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 47/76] mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n Greg Kroah-Hartman
2025-07-30 9:35 ` Greg Kroah-Hartman [this message]
2025-07-30 9:35 ` [PATCH 6.6 49/76] usb: typec: tcpm: allow to use sink in accessory mode Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 50/76] usb: typec: tcpm: allow switching to mode accessory to mux properly Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 51/76] usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 52/76] x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 53/76] jfs: reject on-disk inodes of an unsupported type Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 54/76] comedi: comedi_test: Fix possible deletion of uninitialized timers Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 55/76] ALSA: hda/tegra: Add Tegra264 support Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 56/76] ALSA: hda: Add missing NVIDIA HDA codec IDs Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 57/76] drm/i915/dp: Fix 2.7 Gbps DP_LINK_BW value on g4x Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 58/76] mm: khugepaged: fix call hpage_collapse_scan_file() for anonymous vma Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 59/76] erofs: address D-cache aliasing Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 60/76] crypto: powerpc/poly1305 - add depends on BROKEN for now Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 61/76] crypto: qat - add shutdown handler to qat_dh895xcc Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 62/76] iio: hid-sensor-prox: Fix incorrect OFFSET calculation Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 63/76] iio: hid-sensor-prox: Restore lost scale assignments Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 64/76] ksmbd: fix use-after-free in __smb2_lease_break_noti() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 65/76] mtd: rawnand: qcom: Fix last codeword read in qcom_param_page_type_exec() Greg Kroah-Hartman
2025-07-30 9:35 ` [PATCH 6.6 66/76] perf/x86/intel: Fix crash in icl_update_topdown_event() Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 67/76] wifi: mt76: mt7921: prevent decap offload config before STA initialization Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 68/76] ksmbd: add free_transport ops in ksmbd connection Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 69/76] arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 register Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 70/76] mptcp: make fallback action and fallback decision atomic Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 71/76] mptcp: plug races between subflow fail and subflow creation Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 72/76] mptcp: reset fallback status gracefully at disconnect() time Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 73/76] ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 74/76] drm/sched: Remove optimization that causes hang when killing dependent jobs Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 75/76] spi: cadence-quadspi: fix cleanup of rx_chan on failure paths Greg Kroah-Hartman
2025-07-30 9:36 ` [PATCH 6.6 76/76] Revert "selftests/bpf: Add a cgroup prog bpf_get_ns_current_pid_tgid() test" Greg Kroah-Hartman
2025-07-30 17:19 ` [PATCH 6.6 00/76] 6.6.101-rc1 review Brett A C Sheffield
2025-07-30 17:31 ` Peter Schneider
2025-07-30 17:38 ` Mark Brown
2025-07-30 20:10 ` Jon Hunter
2025-07-30 21:00 ` Shuah Khan
2025-07-30 22:12 ` Shuah Khan
2025-07-31 7:09 ` Harshit Mogalapalli
2025-07-31 8:54 ` Ron Economos
2025-07-31 10:38 ` Naresh Kamboju
2025-07-31 18:48 ` Miguel Ojeda
2025-08-01 1:28 ` Hardik Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250730093228.711398869@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Philip.Yang@amd.com \
--cc=alexander.deucher@amd.com \
--cc=felix.kuehling@amd.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox