[PATCH 4/4] mm: check the device private page owner in hmm_range_fault
Christoph Hellwig
hch at lst.de
Sat Mar 21 08:22:36 UTC 2020
On Fri, Mar 20, 2020 at 10:41:09AM -0300, Jason Gunthorpe wrote:
> Thinking about this some more, does the locking work out here?
>
> hmm_range_fault() runs with mmap_sem in read, and does not lock any of
> the page table levels.
>
> So it relies on accessing stale pte data being safe, and here we
> introduce for the first time a page pointer dereference and a pgmap
> dereference without any locking/refcounting.
>
> The get_dev_pagemap() worked on the PFN and obtained a refcount, so it
> created safety.
>
> Is there some tricky reason this is safe, eg a DEVICE_PRIVATE page
> cannot be removed from the vma without holding mmap_sem in write or
> something?
I don't think there is any specific protection. Let me see if we
can throw in a get_dev_pagemap here - note that current mainline doesn't
even use it for this path..
More information about the amd-gfx
mailing list