From: Boris Brezillon <boris.brezillon@collabora.com>
To: Steven Price <steven.price@arm.com>,
Liviu Dudau <liviu.dudau@arm.com>,
Boris Brezillon <boris.brezillon@collabora.com>
Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>,
Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
Maxime Ripard <mripard@kernel.org>,
Thomas Zimmermann <tzimmermann@suse.de>,
David Airlie <airlied@gmail.com>,
Simona Vetter <simona@ffwll.ch>, Akash Goel <akash.goel@arm.com>,
Chia-I Wu <olvaffe@gmail.com>,
Rob Clark <robin.clark@oss.qualcomm.com>,
Dmitry Baryshkov <lumag@kernel.org>,
Abhinav Kumar <abhinav.kumar@linux.dev>,
Jessica Zhang <jesszhan0024@gmail.com>,
Sean Paul <sean@poorly.run>,
Marijn Suijten <marijn.suijten@somainline.org>,
linux-arm-msm@vger.kernel.org, freedreno@lists.freedesktop.org,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2 3/4] drm/gem: Stop exposing the racy/unsafe drm_gem_lru_remove() helper
Date: Fri, 08 May 2026 12:40:49 +0200 [thread overview]
Message-ID: <20260508-panthor-shrinker-fixes-v2-3-39cdb7d577c9@collabora.com> (raw)
In-Reply-To: <20260508-panthor-shrinker-fixes-v2-0-39cdb7d577c9@collabora.com>
The only place where it's safe to call drm_gem_lru_remove() is when
we know the drm_gem_object::lru field can't be concurrently updated,
which we know is the case when the drm_gem_object is destroyed.
Rather than trying to make that safe, let's kill the function and inline
its content in drm_gem_object_release().
Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
---
drivers/gpu/drm/drm_gem.c | 90 ++++++++++++++++++++---------------------------
include/drm/drm_gem.h | 1 -
2 files changed, 39 insertions(+), 52 deletions(-)
diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
index 0e087c770883..c85a39b8b163 100644
--- a/drivers/gpu/drm/drm_gem.c
+++ b/drivers/gpu/drm/drm_gem.c
@@ -1108,6 +1108,15 @@ drm_gem_release(struct drm_device *dev, struct drm_file *file_private)
idr_destroy(&file_private->object_idr);
}
+static void
+drm_gem_lru_remove_locked(struct drm_gem_object *obj)
+{
+ obj->lru->count -= obj->size >> PAGE_SHIFT;
+ WARN_ON(obj->lru->count < 0);
+ list_del(&obj->lru_node);
+ obj->lru = NULL;
+}
+
/**
* drm_gem_object_release - release GEM buffer object resources
* @obj: GEM buffer object
@@ -1118,13 +1127,42 @@ drm_gem_release(struct drm_device *dev, struct drm_file *file_private)
void
drm_gem_object_release(struct drm_gem_object *obj)
{
+ struct drm_gem_lru *lru;
+
if (obj->filp)
fput(obj->filp);
drm_gem_private_object_fini(obj);
drm_gem_free_mmap_offset(obj);
- drm_gem_lru_remove(obj);
+
+ /*
+ * We do the lru != NULL check without the lru->lock held, which
+ * means we might end up with a stale lru value by the time the
+ * lock is acquired.
+ *
+ * This is deemed safe because:
+ * 1. the LRU is assumed to outlive any GEM object it was attached
+ * (LRUs are usually bound to a drm_device). So even if obj->lru
+ * has become NULL, it still point to a valid object that can
+ * safely be dereferenced to get the lock.
+ *
+ * 2. all LRUs a GEM object might be attached to must share the same
+ * lock (lock that's usually part of the driver-specific device
+ * object), so taking the lock on the 'old' LRU is equivalent
+ * to taking it on the new one (if any)
+ */
+ lru = obj->lru;
+ if (lru) {
+ guard(mutex)(lru->lock);
+
+ /* Check a second time with the lock held to make sure we're
+ * not racing with the drm_gem_lru_remove_locked() call in
+ * drm_gem_lru_scan().
+ */
+ if (obj->lru)
+ drm_gem_lru_remove_locked(obj);
+ }
}
EXPORT_SYMBOL(drm_gem_object_release);
@@ -1552,56 +1590,6 @@ drm_gem_lru_init(struct drm_gem_lru *lru, struct mutex *lock)
}
EXPORT_SYMBOL(drm_gem_lru_init);
-static void
-drm_gem_lru_remove_locked(struct drm_gem_object *obj)
-{
- obj->lru->count -= obj->size >> PAGE_SHIFT;
- WARN_ON(obj->lru->count < 0);
- list_del(&obj->lru_node);
- obj->lru = NULL;
-}
-
-/**
- * drm_gem_lru_remove - remove object from whatever LRU it is in
- *
- * If the object is currently in any LRU, remove it.
- *
- * @obj: The GEM object to remove from current LRU
- */
-void
-drm_gem_lru_remove(struct drm_gem_object *obj)
-{
- struct drm_gem_lru *lru = obj->lru;
-
- /*
- * We do the lru != NULL check without the lru->lock held, which
- * means we might end up with a stale lru value by the time the
- * lock is acquired.
- *
- * This is deemed safe because:
- * 1. the LRU is assumed to outlive any GEM object it was attached
- * (LRUs are usually bound to a drm_device). So even if obj->lru
- * has become NULL, it still point to a valid object that can
- * safely be dereferenced to get the lock.
- *
- * 2. all LRUs a GEM object might be attached to must share the same
- * lock (lock that's usually part of the driver-specific device
- * object), so taking the lock on the 'old' LRU is equivalent
- * to taking it on the new one (if any)
- */
- if (!lru)
- return;
-
- mutex_lock(lru->lock);
- /* Check a second time with the lock held to make sure we're not racing
- * with another drm_gem_lru_remove[_locked]() call.
- */
- if (obj->lru)
- drm_gem_lru_remove_locked(obj);
- mutex_unlock(lru->lock);
-}
-EXPORT_SYMBOL(drm_gem_lru_remove);
-
/**
* drm_gem_lru_move_tail_locked - move the object to the tail of the LRU
*
diff --git a/include/drm/drm_gem.h b/include/drm/drm_gem.h
index 86f5846154f7..d527df98d142 100644
--- a/include/drm/drm_gem.h
+++ b/include/drm/drm_gem.h
@@ -611,7 +611,6 @@ int drm_gem_dumb_map_offset(struct drm_file *file, struct drm_device *dev,
u32 handle, u64 *offset);
void drm_gem_lru_init(struct drm_gem_lru *lru, struct mutex *lock);
-void drm_gem_lru_remove(struct drm_gem_object *obj);
void drm_gem_lru_move_tail_locked(struct drm_gem_lru *lru, struct drm_gem_object *obj);
void drm_gem_lru_move_tail(struct drm_gem_lru *lru, struct drm_gem_object *obj);
unsigned long
--
2.54.0
next prev parent reply other threads:[~2026-05-08 10:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 10:40 [PATCH v2 0/4] drm/panthor: Fix a race in the shrinker logic Boris Brezillon
2026-05-08 10:40 ` [PATCH v2 1/4] drm/panthor: Don't use the racy drm_gem_lru_remove() helper Boris Brezillon
2026-05-08 10:40 ` [PATCH v2 2/4] drm/gem: Fix a race between drm_gem_lru_scan() and drm_gem_object_release() Boris Brezillon
2026-05-08 13:49 ` Liviu Dudau
2026-05-08 10:40 ` Boris Brezillon [this message]
2026-05-08 15:00 ` [PATCH v2 3/4] drm/gem: Stop exposing the racy/unsafe drm_gem_lru_remove() helper Liviu Dudau
2026-05-08 10:40 ` [PATCH v2 4/4] drm/gem: Make the GEM LRU lock part of drm_device Boris Brezillon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260508-panthor-shrinker-fixes-v2-3-39cdb7d577c9@collabora.com \
--to=boris.brezillon@collabora.com \
--cc=abhinav.kumar@linux.dev \
--cc=airlied@gmail.com \
--cc=akash.goel@arm.com \
--cc=dmitry.osipenko@collabora.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=freedreno@lists.freedesktop.org \
--cc=jesszhan0024@gmail.com \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=liviu.dudau@arm.com \
--cc=lumag@kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=marijn.suijten@somainline.org \
--cc=mripard@kernel.org \
--cc=olvaffe@gmail.com \
--cc=robin.clark@oss.qualcomm.com \
--cc=sean@poorly.run \
--cc=simona@ffwll.ch \
--cc=steven.price@arm.com \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox