Commit aed44cbe authored by Boris Brezillon's avatar Boris Brezillon Committed by Rob Herring

drm/panfrost: Fix a race in panfrost_gem_free_object()

panfrost_gem_shrinker_scan() might purge a BO (release the sgt and
kill the GPU mapping) that's being freed by panfrost_gem_free_object()
if we don't remove the BO from the shrinker list at the beginning of
panfrost_gem_free_object().

Fixes: 013b6510 ("drm/panfrost: Add madvise and shrinker support")
Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarBoris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: default avatarSteven Price <steven.price@arm.com>
Acked-by: default avatarAlyssa Rosenzweig <alyssa.rosenzweig@collabora.com>
Signed-off-by: default avatarRob Herring <robh@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20191129135908.2439529-5-boris.brezillon@collabora.com
parent 3bb69dbc
...@@ -19,6 +19,16 @@ static void panfrost_gem_free_object(struct drm_gem_object *obj) ...@@ -19,6 +19,16 @@ static void panfrost_gem_free_object(struct drm_gem_object *obj)
struct panfrost_gem_object *bo = to_panfrost_bo(obj); struct panfrost_gem_object *bo = to_panfrost_bo(obj);
struct panfrost_device *pfdev = obj->dev->dev_private; struct panfrost_device *pfdev = obj->dev->dev_private;
/*
* Make sure the BO is no longer inserted in the shrinker list before
* taking care of the destruction itself. If we don't do that we have a
* race condition between this function and what's done in
* panfrost_gem_shrinker_scan().
*/
mutex_lock(&pfdev->shrinker_lock);
list_del_init(&bo->base.madv_list);
mutex_unlock(&pfdev->shrinker_lock);
if (bo->sgts) { if (bo->sgts) {
int i; int i;
int n_sgt = bo->base.base.size / SZ_2M; int n_sgt = bo->base.base.size / SZ_2M;
...@@ -33,11 +43,6 @@ static void panfrost_gem_free_object(struct drm_gem_object *obj) ...@@ -33,11 +43,6 @@ static void panfrost_gem_free_object(struct drm_gem_object *obj)
kfree(bo->sgts); kfree(bo->sgts);
} }
mutex_lock(&pfdev->shrinker_lock);
if (!list_empty(&bo->base.madv_list))
list_del(&bo->base.madv_list);
mutex_unlock(&pfdev->shrinker_lock);
drm_gem_shmem_free_object(obj); drm_gem_shmem_free_object(obj);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment