diff options
| author | Jason Gunthorpe <[email protected]> | 2019-05-24 15:14:08 +0000 |
|---|---|---|
| committer | Jason Gunthorpe <[email protected]> | 2019-06-24 20:38:18 +0000 |
| commit | 14331726a3c47bb1649dab155a84610f509d414e (patch) | |
| tree | 9dc1a6341e79bdaf3c3ac93bd6fa23ac8c316eae /drivers/gpu/drm/omapdrm/omap_irq.c | |
| parent | mm/hmm: Poison hmm_range during unregister (diff) | |
| download | kernel-14331726a3c47bb1649dab155a84610f509d414e.tar.gz kernel-14331726a3c47bb1649dab155a84610f509d414e.zip | |
mm/hmm: Remove confusing comment and logic from hmm_release
hmm_release() is called exactly once per hmm. ops->release() cannot
accidentally trigger any action that would recurse back onto
hmm->mirrors_sem.
This fixes a use after-free race of the form:
CPU0 CPU1
hmm_release()
up_write(&hmm->mirrors_sem);
hmm_mirror_unregister(mirror)
down_write(&hmm->mirrors_sem);
up_write(&hmm->mirrors_sem);
kfree(mirror)
mirror->ops->release(mirror)
The only user we have today for ops->release is an empty function, so this
is unambiguously safe.
As a consequence of plugging this race drivers are not allowed to
register/unregister mirrors from within a release op.
Signed-off-by: Jason Gunthorpe <[email protected]>
Reviewed-by: Christoph Hellwig <[email protected]>
Tested-by: Philip Yang <[email protected]>
Diffstat (limited to 'drivers/gpu/drm/omapdrm/omap_irq.c')
0 files changed, 0 insertions, 0 deletions