On 29/11/2019 13:59, Boris Brezillon wrote: > panfrost_gem_shrinker_scan() might purge a BO (release the sgt and > kill the GPU mapping) that's being freed by panfrost_gem_free_object() > if we don't remove the BO from the shrinker list at the beginning of > panfrost_gem_free_object(). > > Fixes: 013b65101315 ("drm/panfrost: Add madvise and shrinker support") > Cc: <stable@xxxxxxxxxxxxxxx> > Signed-off-by: Boris Brezillon <boris.brezillon@xxxxxxxxxxxxx> Reviewed-by: Steven Price <steven.price@xxxxxxx> > --- > drivers/gpu/drm/panfrost/panfrost_gem.c | 15 ++++++++++----- > 1 file changed, 10 insertions(+), 5 deletions(-) > > diff --git a/drivers/gpu/drm/panfrost/panfrost_gem.c b/drivers/gpu/drm/panfrost/panfrost_gem.c > index acb07fe06580..daf4c55a2863 100644 > --- a/drivers/gpu/drm/panfrost/panfrost_gem.c > +++ b/drivers/gpu/drm/panfrost/panfrost_gem.c > @@ -19,6 +19,16 @@ static void panfrost_gem_free_object(struct drm_gem_object *obj) > struct panfrost_gem_object *bo = to_panfrost_bo(obj); > struct panfrost_device *pfdev = obj->dev->dev_private; > > + /* > + * Make sure the BO is no longer inserted in the shrinker list before > + * taking care of the destruction itself. If we don't do that we have a > + * race condition between this function and what's done in > + * panfrost_gem_shrinker_scan(). > + */ > + mutex_lock(&pfdev->shrinker_lock); > + list_del_init(&bo->base.madv_list); > + mutex_unlock(&pfdev->shrinker_lock); > + > if (bo->sgts) { > int i; > int n_sgt = bo->base.base.size / SZ_2M; > @@ -33,11 +43,6 @@ static void panfrost_gem_free_object(struct drm_gem_object *obj) > kfree(bo->sgts); > } > > - mutex_lock(&pfdev->shrinker_lock); > - if (!list_empty(&bo->base.madv_list)) > - list_del(&bo->base.madv_list); > - mutex_unlock(&pfdev->shrinker_lock); > - > drm_gem_shmem_free_object(obj); > } > >