From: "Christian König" <christian.koenig@amd.com>
To: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>,
intel-xe@lists.freedesktop.org, intel-gfx@lists.freedesktop.org
Cc: Dave Airlie <airlied@redhat.com>, Huang Rui <ray.huang@amd.com>,
dri-devel@lists.freedesktop.org, stable@vger.kernel.org
Subject: Re: [PATCH] drm/ttm: Fix an invalid freeing on already freed page in error path
Date: Wed, 21 Feb 2024 11:26:53 +0100 [thread overview]
Message-ID: <6733f48a-4fb2-446c-91a8-e631937fbfcb@amd.com> (raw)
In-Reply-To: <20240221073324.3303-1-thomas.hellstrom@linux.intel.com>
Am 21.02.24 um 08:33 schrieb Thomas Hellström:
> If caching mode change fails due to, for example, OOM we
> free the allocated pages in a two-step process. First the pages
> for which the caching change has already succeeded. Secondly
> the pages for which a caching change did not succeed.
>
> However the second step was incorrectly freeing the pages already
> freed in the first step.
>
> Fix.
>
> Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
> Fixes: 379989e7cbdc ("drm/ttm/pool: Fix ttm_pool_alloc error path")
> Cc: Christian König <christian.koenig@amd.com>
> Cc: Dave Airlie <airlied@redhat.com>
> Cc: Christian Koenig <christian.koenig@amd.com>
> Cc: Huang Rui <ray.huang@amd.com>
> Cc: dri-devel@lists.freedesktop.org
> Cc: <stable@vger.kernel.org> # v6.4+
You don't know how much time I've spend staring at this line to find the
bug in it and haven't seen it. Got bug reports about that for month as well.
Reviewed-by: Christian König <christian.koenig@amd.com>
> ---
> drivers/gpu/drm/ttm/ttm_pool.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/ttm/ttm_pool.c b/drivers/gpu/drm/ttm/ttm_pool.c
> index b62f420a9f96..112438d965ff 100644
> --- a/drivers/gpu/drm/ttm/ttm_pool.c
> +++ b/drivers/gpu/drm/ttm/ttm_pool.c
> @@ -387,7 +387,7 @@ static void ttm_pool_free_range(struct ttm_pool *pool, struct ttm_tt *tt,
> enum ttm_caching caching,
> pgoff_t start_page, pgoff_t end_page)
> {
> - struct page **pages = tt->pages;
> + struct page **pages = &tt->pages[start_page];
> unsigned int order;
> pgoff_t i, nr;
>
next prev parent reply other threads:[~2024-02-21 10:27 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-21 7:33 [PATCH] drm/ttm: Fix an invalid freeing on already freed page in error path Thomas Hellström
2024-02-21 9:21 ` Matthew Auld
2024-02-21 10:26 ` Christian König [this message]
2024-02-22 7:34 ` Thomas Hellström
2024-02-22 8:33 ` Thomas Hellström
2024-02-22 9:47 ` Christian König
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6733f48a-4fb2-446c-91a8-e631937fbfcb@amd.com \
--to=christian.koenig@amd.com \
--cc=airlied@redhat.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=intel-xe@lists.freedesktop.org \
--cc=ray.huang@amd.com \
--cc=stable@vger.kernel.org \
--cc=thomas.hellstrom@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox