On Wed, Oct 30, 2019 at 11:44:12AM +0200, Michal Kalderon wrote:
> diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
> index b1f5334ff907..dbe9bd3d389a 100644
> --- a/drivers/infiniband/core/uverbs_main.c
> +++ b/drivers/infiniband/core/uverbs_main.c
> @@ -819,7 +819,7 @@ static void rdma_umap_open(struct vm_area_struct *vma)
> priv = kzalloc(sizeof(*priv), GFP_KERNEL);
> if (!priv)
> goto out_unlock;
> - rdma_umap_priv_init(priv, vma);
> + rdma_umap_priv_init(priv, vma, opriv->entry);
>
> up_read(&ufile->hw_destroy_rwsem);
> return;
> @@ -844,6 +844,11 @@ static void rdma_umap_close(struct vm_area_struct *vma)
> if (!priv)
> return;
>
> + if (priv->entry) {
> + rdma_user_mmap_entry_put(ufile->ucontext, priv->entry);
> + priv->entry = NULL;
> + }
> +
This should be done inside the lock otherwise it can race with
uverbs_user_mmap_disassociate(), the assignment of NULL is not needed
as we free it immediately after.
> @@ -946,6 +951,13 @@ void uverbs_user_mmap_disassociate(struct ib_uverbs_file *ufile)
>
> if (vma->vm_mm != mm)
> continue;
> +
> + if (priv->entry) {
> + rdma_user_mmap_entry_put(ufile->ucontext,
> + priv->entry);
> + priv->entry = NULL;
> + }
> +
> list_del_init(&priv->list);
>
> zap_vma_ptes(vma, vma->vm_start,
The zap needs to be before the entry_put so that the pages are
actually removed before the driver goes to free them
Jason
