Hi, Baolu, On Fri, Apr 29, 2022 at 03:53:57PM +0800, Baolu Lu wrote: > On 2022/4/28 16:39, Jean-Philippe Brucker wrote: > > > The address space is what the OOM killer is after. That gets refcounted > > > with mmget()/mmput()/mm->mm_users. The OOM killer is satiated by the > > > page freeing done in __mmput()->exit_mmap(). > > > > > > Also, all the VMAs should be gone after exit_mmap(). So, even if > > > vma->vm_file was holding a reference to a device driver, that reference > > > should be gone by the time __mmdrop() is actually freeing the PASID. > > > > I agree with all that. The concern was about tearing down the PASID in the > > IOMMU and device from the release() MMU notifier, which would happen in > > exit_mmap(). But doing the teardown at or before __mmdrop() is fine. And > > since the IOMMU drivers need to hold mm->mm_count anyway between bind() > > and unbind(), I think Fenghua's fix works. > > But I didn't find mmgrab()/mmdrop() get called in both arm and intel > IOMMU drivers. > > $ git grep mmgrab drivers/iommu/ > [no output] > > Do we need to add these in a separated fix patch, or I missed anything > here?
On both ARM and X86, sva_bind() calls mmu_notifier_register()->mmgrab() and sva_unbind() calls mmu_notifier_unregister()/mmu_notifier_put()->mmdrop(). So mm->mm_count are already counted in existing ARM and X86 binding and unbinding. The fix patch just frees the PASID in __mmdrop() after no more mm->mm_count. There is no need to add extra mmgrab() and mmdrop() pair. Thanks. -Fenghua _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu