On Fri, Mar 06, 2020 at 03:35:56PM +0100, Jean-Philippe Brucker wrote: > On Fri, Mar 06, 2020 at 09:09:19AM -0400, Jason Gunthorpe wrote: > > On Fri, Mar 06, 2020 at 10:56:14AM +0100, Jean-Philippe Brucker wrote: > > > I tried to keep it simple like that: normally mmu_notifier_get() is called > > > in bind(), and mmu_notifier_put() is called in unbind(). > > > > > > Multiple device drivers may call bind() with the same mm. Each bind() > > > calls mmu_notifier_get(), obtains the same io_mm, and returns a new bond > > > (a device<->mm link). Each bond is freed by calling unbind(), which calls > > > mmu_notifier_put(). > > > > > > That's the most common case. Now if the process is killed and the mm > > > disappears, we do need to avoid use-after-free caused by DMA of the > > > mappings and the page tables. > > > > This is why release must do invalidate all - but it doesn't need to do > > any more - as no SPTE can be established without a mmget() - and > > mmget() is no longer possible past release. > > In our case we don't have SPTEs, the whole pgd is shared between MMU and > IOMMU (isolated using PASID tables). Okay, but this just means that 'invalidate all' also requires switching the PASID to use some pgd that is permanently 'all fail'. > At this point no one told the device to stop working on this queue, > it may still be doing DMA on this address space. Sure, but there are lots of cases where a defective user space can cause pages under active DMA to disappear, like munmap for instance. Process exit is really no different, the PASID should take errors and the device & driver should do whatever error flow it has. Involving a complex driver flow in the exit_mmap path seems like dangerous complexity to me. Jason
