[PATCH 6.6 140/299] drm/ttm: Fix an invalid freeing on already freed page in error path

Greg Kroah-Hartman gregkh at linuxfoundation.org
Tue Feb 27 13:24:11 UTC 2024


6.6-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Hellström <thomas.hellstrom at linux.intel.com>

commit 40510a941d27d405a82dc3320823d875f94625df upstream.

If caching mode change fails due to, for example, OOM we
free the allocated pages in a two-step process. First the pages
for which the caching change has already succeeded. Secondly
the pages for which a caching change did not succeed.

However the second step was incorrectly freeing the pages already
freed in the first step.

Fix.

Signed-off-by: Thomas Hellström <thomas.hellstrom at linux.intel.com>
Fixes: 379989e7cbdc ("drm/ttm/pool: Fix ttm_pool_alloc error path")
Cc: Christian König <christian.koenig at amd.com>
Cc: Dave Airlie <airlied at redhat.com>
Cc: Christian Koenig <christian.koenig at amd.com>
Cc: Huang Rui <ray.huang at amd.com>
Cc: dri-devel at lists.freedesktop.org
Cc: <stable at vger.kernel.org> # v6.4+
Reviewed-by: Matthew Auld <matthew.auld at intel.com>
Reviewed-by: Christian König <christian.koenig at amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240221073324.3303-1-thomas.hellstrom@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
 drivers/gpu/drm/ttm/ttm_pool.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/ttm/ttm_pool.c
+++ b/drivers/gpu/drm/ttm/ttm_pool.c
@@ -384,7 +384,7 @@ static void ttm_pool_free_range(struct t
 				enum ttm_caching caching,
 				pgoff_t start_page, pgoff_t end_page)
 {
-	struct page **pages = tt->pages;
+	struct page **pages = &tt->pages[start_page];
 	unsigned int order;
 	pgoff_t i, nr;
 




More information about the dri-devel mailing list