Skip to content

Commit 4481913

Browse files
yunxialiChristianKoenigAMD
authored andcommitted
drm/ttm: fix bulk_move corruption when adding a entry
When the resource is the first in the bulk_move range, adding it again (thus moving it to the tail) will corrupt the list since the first pointer is not moved. This eventually lead to null pointer deref in ttm_lru_bulk_move_del() Fixes: fee2ede ("drm/ttm: rework bulk move handling v5") Signed-off-by: Yunxiang Li <[email protected]> Reviewed-by: Christian König <[email protected]> CC: [email protected] Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Christian König <[email protected]>
1 parent 98703e4 commit 4481913

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

drivers/gpu/drm/ttm/ttm_resource.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -86,6 +86,8 @@ static void ttm_lru_bulk_move_pos_tail(struct ttm_lru_bulk_move_pos *pos,
8686
struct ttm_resource *res)
8787
{
8888
if (pos->last != res) {
89+
if (pos->first == res)
90+
pos->first = list_next_entry(res, lru);
8991
list_move(&res->lru, &pos->last->lru);
9092
pos->last = res;
9193
}
@@ -111,7 +113,8 @@ static void ttm_lru_bulk_move_del(struct ttm_lru_bulk_move *bulk,
111113
{
112114
struct ttm_lru_bulk_move_pos *pos = ttm_lru_bulk_move_pos(bulk, res);
113115

114-
if (unlikely(pos->first == res && pos->last == res)) {
116+
if (unlikely(WARN_ON(!pos->first || !pos->last) ||
117+
pos->first == res && pos->last == res)) {
115118
pos->first = NULL;
116119
pos->last = NULL;
117120
} else if (pos->first == res) {

0 commit comments

Comments
 (0)