[PATCH 3/4] drm/panfrost: Fix shrinker lockdep issues using drm_gem_shmem_purge()

Thu Aug 22 13:23:06 UTC 2019

On 19/08/2019 17:12, Rob Herring wrote:
> This fixes 2 issues found by lockdep. First, drm_gem_shmem_purge()
> now uses mutex_trylock for the pages_lock to avoid a circular
> dependency.

NIT: This is in the previous patch.

> Second, it drops the call to panfrost_mmu_unmap() which takes several
> locks due to runtime PM calls. The call is not necessary because the
> unmapping is also called in panfrost_gem_close() already.

I could be completely mistaken here, but don't we need to unmap the
memory from the GPU here because the backing is free? The
panfrost_gem_close() call could come significantly later, by which time
a malicious user space could have run some jobs on the GPU to take a
look at what those mappings now point to (quite likely some other
processes memory).

So this looks to me like a crafty way of observing 'random' memory in
the system.

Steve

> Fixes: 013b65101315 ("drm/panfrost: Add madvise and shrinker support")
> Cc: Tomeu Vizoso <tomeu.vizoso at collabora.com>
> Cc: David Airlie <airlied at linux.ie>
> Cc: Daniel Vetter <daniel at ffwll.ch>
> Signed-off-by: Rob Herring <robh at kernel.org>
> ---
>  drivers/gpu/drm/panfrost/panfrost_gem_shrinker.c | 15 ++-------------
>  1 file changed, 2 insertions(+), 13 deletions(-)
> 
> diff --git a/drivers/gpu/drm/panfrost/panfrost_gem_shrinker.c b/drivers/gpu/drm/panfrost/panfrost_gem_shrinker.c
> index d191632b6197..cc15005dc68f 100644
> --- a/drivers/gpu/drm/panfrost/panfrost_gem_shrinker.c
> +++ b/drivers/gpu/drm/panfrost/panfrost_gem_shrinker.c
> @@ -36,17 +36,6 @@ panfrost_gem_shrinker_count(struct shrinker *shrinker, struct shrink_control *sc
>  	return count;
>  }
>  
> -static void panfrost_gem_purge(struct drm_gem_object *obj)
> -{
> -	struct drm_gem_shmem_object *shmem = to_drm_gem_shmem_obj(obj);
> -	mutex_lock(&shmem->pages_lock);
> -
> -	panfrost_mmu_unmap(to_panfrost_bo(obj));
> -	drm_gem_shmem_purge_locked(obj);
> -
> -	mutex_unlock(&shmem->pages_lock);
> -}
> -
>  static unsigned long
>  panfrost_gem_shrinker_scan(struct shrinker *shrinker, struct shrink_control *sc)
>  {
> @@ -61,8 +50,8 @@ panfrost_gem_shrinker_scan(struct shrinker *shrinker, struct shrink_control *sc)
>  	list_for_each_entry_safe(shmem, tmp, &pfdev->shrinker_list, madv_list) {
>  		if (freed >= sc->nr_to_scan)
>  			break;
> -		if (drm_gem_shmem_is_purgeable(shmem)) {
> -			panfrost_gem_purge(&shmem->base);
> +		if (drm_gem_shmem_is_purgeable(shmem) &&
> +		    drm_gem_shmem_purge(&shmem->base)) {
>  			freed += shmem->base.size >> PAGE_SHIFT;
>  			list_del_init(&shmem->madv_list);
>  		}
> 