Patch "drm/ttm: Fix an invalid freeing on already freed page in error path" has been added to the 6.1-stable tree
This is a note to let you know that I've just added the patch titled
drm/ttm: Fix an invalid freeing on already freed page in error path
to the 6.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
drm-ttm-fix-an-invalid-freeing-on-already-freed-page-in-error-path.patch
and it can be found in the queue-6.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let know about it.
>From 40510a941d27d405a82dc3320823d875f94625df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?=
Date: Wed, 21 Feb 2024 08:33:24 +0100
Subject: drm/ttm: Fix an invalid freeing on already freed page in error path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Thomas Hellström
commit 40510a941d27d405a82dc3320823d875f94625df upstream.
If caching mode change fails due to, for example, OOM we
free the allocated pages in a two-step process. First the pages
for which the caching change has already succeeded. Secondly
the pages for which a caching change did not succeed.
However the second step was incorrectly freeing the pages already
freed in the first step.
Fix.
Signed-off-by: Thomas Hellström
Fixes: 379989e7cbdc ("drm/ttm/pool: Fix ttm_pool_alloc error path")
Cc: Christian König
Cc: Dave Airlie
Cc: Christian Koenig
Cc: Huang Rui
Cc: dri-devel@lists.freedesktop.org
Cc: # v6.4+
Reviewed-by: Matthew Auld
Reviewed-by: Christian König
Link:
https://patchwork.freedesktop.org/patch/msgid/20240221073324.3303-1-thomas.hellst...@linux.intel.com
Signed-off-by: Greg Kroah-Hartman
---
drivers/gpu/drm/ttm/ttm_pool.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/ttm/ttm_pool.c
+++ b/drivers/gpu/drm/ttm/ttm_pool.c
@@ -383,7 +383,7 @@ static void ttm_pool_free_range(struct t
enum ttm_caching caching,
pgoff_t start_page, pgoff_t end_page)
{
- struct page **pages = tt->pages;
+ struct page **pages = >pages[start_page];
unsigned int order;
pgoff_t i, nr;
Patches currently in stable-queue which might be from
thomas.hellst...@linux.intel.com are
queue-6.1/drm-ttm-fix-an-invalid-freeing-on-already-freed-page-in-error-path.patch
Patch "drm/ttm: Fix an invalid freeing on already freed page in error path" has been added to the 6.6-stable tree
This is a note to let you know that I've just added the patch titled
drm/ttm: Fix an invalid freeing on already freed page in error path
to the 6.6-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
drm-ttm-fix-an-invalid-freeing-on-already-freed-page-in-error-path.patch
and it can be found in the queue-6.6 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let know about it.
>From 40510a941d27d405a82dc3320823d875f94625df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?=
Date: Wed, 21 Feb 2024 08:33:24 +0100
Subject: drm/ttm: Fix an invalid freeing on already freed page in error path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Thomas Hellström
commit 40510a941d27d405a82dc3320823d875f94625df upstream.
If caching mode change fails due to, for example, OOM we
free the allocated pages in a two-step process. First the pages
for which the caching change has already succeeded. Secondly
the pages for which a caching change did not succeed.
However the second step was incorrectly freeing the pages already
freed in the first step.
Fix.
Signed-off-by: Thomas Hellström
Fixes: 379989e7cbdc ("drm/ttm/pool: Fix ttm_pool_alloc error path")
Cc: Christian König
Cc: Dave Airlie
Cc: Christian Koenig
Cc: Huang Rui
Cc: dri-devel@lists.freedesktop.org
Cc: # v6.4+
Reviewed-by: Matthew Auld
Reviewed-by: Christian König
Link:
https://patchwork.freedesktop.org/patch/msgid/20240221073324.3303-1-thomas.hellst...@linux.intel.com
Signed-off-by: Greg Kroah-Hartman
---
drivers/gpu/drm/ttm/ttm_pool.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/ttm/ttm_pool.c
+++ b/drivers/gpu/drm/ttm/ttm_pool.c
@@ -384,7 +384,7 @@ static void ttm_pool_free_range(struct t
enum ttm_caching caching,
pgoff_t start_page, pgoff_t end_page)
{
- struct page **pages = tt->pages;
+ struct page **pages = >pages[start_page];
unsigned int order;
pgoff_t i, nr;
Patches currently in stable-queue which might be from
thomas.hellst...@linux.intel.com are
queue-6.6/drm-ttm-fix-an-invalid-freeing-on-already-freed-page-in-error-path.patch
Patch "drm/ttm: Fix an invalid freeing on already freed page in error path" has been added to the 6.7-stable tree
This is a note to let you know that I've just added the patch titled
drm/ttm: Fix an invalid freeing on already freed page in error path
to the 6.7-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
drm-ttm-fix-an-invalid-freeing-on-already-freed-page-in-error-path.patch
and it can be found in the queue-6.7 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let know about it.
>From 40510a941d27d405a82dc3320823d875f94625df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?=
Date: Wed, 21 Feb 2024 08:33:24 +0100
Subject: drm/ttm: Fix an invalid freeing on already freed page in error path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Thomas Hellström
commit 40510a941d27d405a82dc3320823d875f94625df upstream.
If caching mode change fails due to, for example, OOM we
free the allocated pages in a two-step process. First the pages
for which the caching change has already succeeded. Secondly
the pages for which a caching change did not succeed.
However the second step was incorrectly freeing the pages already
freed in the first step.
Fix.
Signed-off-by: Thomas Hellström
Fixes: 379989e7cbdc ("drm/ttm/pool: Fix ttm_pool_alloc error path")
Cc: Christian König
Cc: Dave Airlie
Cc: Christian Koenig
Cc: Huang Rui
Cc: dri-devel@lists.freedesktop.org
Cc: # v6.4+
Reviewed-by: Matthew Auld
Reviewed-by: Christian König
Link:
https://patchwork.freedesktop.org/patch/msgid/20240221073324.3303-1-thomas.hellst...@linux.intel.com
Signed-off-by: Greg Kroah-Hartman
---
drivers/gpu/drm/ttm/ttm_pool.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/ttm/ttm_pool.c
+++ b/drivers/gpu/drm/ttm/ttm_pool.c
@@ -387,7 +387,7 @@ static void ttm_pool_free_range(struct t
enum ttm_caching caching,
pgoff_t start_page, pgoff_t end_page)
{
- struct page **pages = tt->pages;
+ struct page **pages = >pages[start_page];
unsigned int order;
pgoff_t i, nr;
Patches currently in stable-queue which might be from
thomas.hellst...@linux.intel.com are
queue-6.7/drm-ttm-fix-an-invalid-freeing-on-already-freed-page-in-error-path.patch
Patch "drm/ttm: Fix an invalid freeing on already freed page in error path" has been added to the 5.15-stable tree
This is a note to let you know that I've just added the patch titled
drm/ttm: Fix an invalid freeing on already freed page in error path
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
drm-ttm-fix-an-invalid-freeing-on-already-freed-page-in-error-path.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let know about it.
>From 40510a941d27d405a82dc3320823d875f94625df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?=
Date: Wed, 21 Feb 2024 08:33:24 +0100
Subject: drm/ttm: Fix an invalid freeing on already freed page in error path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Thomas Hellström
commit 40510a941d27d405a82dc3320823d875f94625df upstream.
If caching mode change fails due to, for example, OOM we
free the allocated pages in a two-step process. First the pages
for which the caching change has already succeeded. Secondly
the pages for which a caching change did not succeed.
However the second step was incorrectly freeing the pages already
freed in the first step.
Fix.
Signed-off-by: Thomas Hellström
Fixes: 379989e7cbdc ("drm/ttm/pool: Fix ttm_pool_alloc error path")
Cc: Christian König
Cc: Dave Airlie
Cc: Christian Koenig
Cc: Huang Rui
Cc: dri-devel@lists.freedesktop.org
Cc: # v6.4+
Reviewed-by: Matthew Auld
Reviewed-by: Christian König
Link:
https://patchwork.freedesktop.org/patch/msgid/20240221073324.3303-1-thomas.hellst...@linux.intel.com
Signed-off-by: Greg Kroah-Hartman
---
drivers/gpu/drm/ttm/ttm_pool.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/ttm/ttm_pool.c
+++ b/drivers/gpu/drm/ttm/ttm_pool.c
@@ -384,7 +384,7 @@ static void ttm_pool_free_range(struct t
enum ttm_caching caching,
pgoff_t start_page, pgoff_t end_page)
{
- struct page **pages = tt->pages;
+ struct page **pages = >pages[start_page];
unsigned int order;
pgoff_t i, nr;
Patches currently in stable-queue which might be from
thomas.hellst...@linux.intel.com are
queue-5.15/drm-ttm-fix-an-invalid-freeing-on-already-freed-page-in-error-path.patch
Re: [PATCH] drm/ttm: Fix an invalid freeing on already freed page in error path
Am 22.02.24 um 08:34 schrieb Thomas Hellström:
On Wed, 2024-02-21 at 11:26 +0100, Christian König wrote:
Am 21.02.24 um 08:33 schrieb Thomas Hellström:
If caching mode change fails due to, for example, OOM we
free the allocated pages in a two-step process. First the pages
for which the caching change has already succeeded. Secondly
the pages for which a caching change did not succeed.
However the second step was incorrectly freeing the pages already
freed in the first step.
Fix.
Signed-off-by: Thomas Hellström
Fixes: 379989e7cbdc ("drm/ttm/pool: Fix ttm_pool_alloc error path")
Cc: Christian König
Cc: Dave Airlie
Cc: Christian Koenig
Cc: Huang Rui
Cc: dri-devel@lists.freedesktop.org
Cc: # v6.4+
You don't know how much time I've spend staring at this line to find
the
bug in it and haven't seen it. Got bug reports about that for month
as well.
Yeah, sorry about that. We should probably have Kunit tests exercising
OOM in the pool code involving WC pages.
I'll push this to drm-misc-next.
drm-misc-fixes please! That needs to be backported ASAP.
Need to dig up the bug report for this again.
Thanks,
Christian.
/Thomas
Reviewed-by: Christian König
---
drivers/gpu/drm/ttm/ttm_pool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/ttm/ttm_pool.c
b/drivers/gpu/drm/ttm/ttm_pool.c
index b62f420a9f96..112438d965ff 100644
--- a/drivers/gpu/drm/ttm/ttm_pool.c
+++ b/drivers/gpu/drm/ttm/ttm_pool.c
@@ -387,7 +387,7 @@ static void ttm_pool_free_range(struct ttm_pool
*pool, struct ttm_tt *tt,
enum ttm_caching caching,
pgoff_t start_page, pgoff_t
end_page)
{
- struct page **pages = tt->pages;
+ struct page **pages = >pages[start_page];
unsigned int order;
pgoff_t i, nr;
Re: [PATCH] drm/ttm: Fix an invalid freeing on already freed page in error path
On Thu, 2024-02-22 at 08:34 +0100, Thomas Hellström wrote:
> On Wed, 2024-02-21 at 11:26 +0100, Christian König wrote:
> > Am 21.02.24 um 08:33 schrieb Thomas Hellström:
> > > If caching mode change fails due to, for example, OOM we
> > > free the allocated pages in a two-step process. First the pages
> > > for which the caching change has already succeeded. Secondly
> > > the pages for which a caching change did not succeed.
> > >
> > > However the second step was incorrectly freeing the pages already
> > > freed in the first step.
> > >
> > > Fix.
> > >
> > > Signed-off-by: Thomas Hellström
> > >
> > > Fixes: 379989e7cbdc ("drm/ttm/pool: Fix ttm_pool_alloc error
> > > path")
> > > Cc: Christian König
> > > Cc: Dave Airlie
> > > Cc: Christian Koenig
> > > Cc: Huang Rui
> > > Cc: dri-devel@lists.freedesktop.org
> > > Cc: # v6.4+
> >
> > You don't know how much time I've spend staring at this line to
> > find
> > the
> > bug in it and haven't seen it. Got bug reports about that for month
> > as well.
>
>
> Yeah, sorry about that. We should probably have Kunit tests
> exercising
> OOM in the pool code involving WC pages.
>
> I'll push this to drm-misc-next.
drm-misc-fixes..
/Thomas
>
> /Thomas
>
> >
> > Reviewed-by: Christian König
> >
> > > ---
> > > drivers/gpu/drm/ttm/ttm_pool.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/gpu/drm/ttm/ttm_pool.c
> > > b/drivers/gpu/drm/ttm/ttm_pool.c
> > > index b62f420a9f96..112438d965ff 100644
> > > --- a/drivers/gpu/drm/ttm/ttm_pool.c
> > > +++ b/drivers/gpu/drm/ttm/ttm_pool.c
> > > @@ -387,7 +387,7 @@ static void ttm_pool_free_range(struct
> > > ttm_pool
> > > *pool, struct ttm_tt *tt,
> > > enum ttm_caching caching,
> > > pgoff_t start_page, pgoff_t
> > > end_page)
> > > {
> > > - struct page **pages = tt->pages;
> > > + struct page **pages = >pages[start_page];
> > > unsigned int order;
> > > pgoff_t i, nr;
> > >
> >
>
Re: [PATCH] drm/ttm: Fix an invalid freeing on already freed page in error path
On Wed, 2024-02-21 at 11:26 +0100, Christian König wrote:
> Am 21.02.24 um 08:33 schrieb Thomas Hellström:
> > If caching mode change fails due to, for example, OOM we
> > free the allocated pages in a two-step process. First the pages
> > for which the caching change has already succeeded. Secondly
> > the pages for which a caching change did not succeed.
> >
> > However the second step was incorrectly freeing the pages already
> > freed in the first step.
> >
> > Fix.
> >
> > Signed-off-by: Thomas Hellström
> > Fixes: 379989e7cbdc ("drm/ttm/pool: Fix ttm_pool_alloc error path")
> > Cc: Christian König
> > Cc: Dave Airlie
> > Cc: Christian Koenig
> > Cc: Huang Rui
> > Cc: dri-devel@lists.freedesktop.org
> > Cc: # v6.4+
>
> You don't know how much time I've spend staring at this line to find
> the
> bug in it and haven't seen it. Got bug reports about that for month
> as well.
Yeah, sorry about that. We should probably have Kunit tests exercising
OOM in the pool code involving WC pages.
I'll push this to drm-misc-next.
/Thomas
>
> Reviewed-by: Christian König
>
> > ---
> > drivers/gpu/drm/ttm/ttm_pool.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/ttm/ttm_pool.c
> > b/drivers/gpu/drm/ttm/ttm_pool.c
> > index b62f420a9f96..112438d965ff 100644
> > --- a/drivers/gpu/drm/ttm/ttm_pool.c
> > +++ b/drivers/gpu/drm/ttm/ttm_pool.c
> > @@ -387,7 +387,7 @@ static void ttm_pool_free_range(struct ttm_pool
> > *pool, struct ttm_tt *tt,
> > enum ttm_caching caching,
> > pgoff_t start_page, pgoff_t
> > end_page)
> > {
> > - struct page **pages = tt->pages;
> > + struct page **pages = >pages[start_page];
> > unsigned int order;
> > pgoff_t i, nr;
> >
>
Re: [PATCH] drm/ttm: Fix an invalid freeing on already freed page in error path
Am 21.02.24 um 08:33 schrieb Thomas Hellström:
If caching mode change fails due to, for example, OOM we
free the allocated pages in a two-step process. First the pages
for which the caching change has already succeeded. Secondly
the pages for which a caching change did not succeed.
However the second step was incorrectly freeing the pages already
freed in the first step.
Fix.
Signed-off-by: Thomas Hellström
Fixes: 379989e7cbdc ("drm/ttm/pool: Fix ttm_pool_alloc error path")
Cc: Christian König
Cc: Dave Airlie
Cc: Christian Koenig
Cc: Huang Rui
Cc: dri-devel@lists.freedesktop.org
Cc: # v6.4+
You don't know how much time I've spend staring at this line to find the
bug in it and haven't seen it. Got bug reports about that for month as well.
Reviewed-by: Christian König
---
drivers/gpu/drm/ttm/ttm_pool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/ttm/ttm_pool.c b/drivers/gpu/drm/ttm/ttm_pool.c
index b62f420a9f96..112438d965ff 100644
--- a/drivers/gpu/drm/ttm/ttm_pool.c
+++ b/drivers/gpu/drm/ttm/ttm_pool.c
@@ -387,7 +387,7 @@ static void ttm_pool_free_range(struct ttm_pool *pool,
struct ttm_tt *tt,
enum ttm_caching caching,
pgoff_t start_page, pgoff_t end_page)
{
- struct page **pages = tt->pages;
+ struct page **pages = >pages[start_page];
unsigned int order;
pgoff_t i, nr;
Re: [PATCH] drm/ttm: Fix an invalid freeing on already freed page in error path
On 21/02/2024 07:33, Thomas Hellström wrote:
If caching mode change fails due to, for example, OOM we
free the allocated pages in a two-step process. First the pages
for which the caching change has already succeeded. Secondly
the pages for which a caching change did not succeed.
However the second step was incorrectly freeing the pages already
freed in the first step.
Fix.
Signed-off-by: Thomas Hellström
Fixes: 379989e7cbdc ("drm/ttm/pool: Fix ttm_pool_alloc error path")
Cc: Christian König
Cc: Dave Airlie
Cc: Christian Koenig
Cc: Huang Rui
Cc: dri-devel@lists.freedesktop.org
Cc: # v6.4+
Reviewed-by: Matthew Auld
[PATCH] drm/ttm: Fix an invalid freeing on already freed page in error path
If caching mode change fails due to, for example, OOM we
free the allocated pages in a two-step process. First the pages
for which the caching change has already succeeded. Secondly
the pages for which a caching change did not succeed.
However the second step was incorrectly freeing the pages already
freed in the first step.
Fix.
Signed-off-by: Thomas Hellström
Fixes: 379989e7cbdc ("drm/ttm/pool: Fix ttm_pool_alloc error path")
Cc: Christian König
Cc: Dave Airlie
Cc: Christian Koenig
Cc: Huang Rui
Cc: dri-devel@lists.freedesktop.org
Cc: # v6.4+
---
drivers/gpu/drm/ttm/ttm_pool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/ttm/ttm_pool.c b/drivers/gpu/drm/ttm/ttm_pool.c
index b62f420a9f96..112438d965ff 100644
--- a/drivers/gpu/drm/ttm/ttm_pool.c
+++ b/drivers/gpu/drm/ttm/ttm_pool.c
@@ -387,7 +387,7 @@ static void ttm_pool_free_range(struct ttm_pool *pool,
struct ttm_tt *tt,
enum ttm_caching caching,
pgoff_t start_page, pgoff_t end_page)
{
- struct page **pages = tt->pages;
+ struct page **pages = >pages[start_page];
unsigned int order;
pgoff_t i, nr;
--
2.43.0
