From 8e43b1e537d4fb313efac1b5d0d01db0fe35f695 Mon Sep 17 00:00:00 2001 From: Boris Brezillon Date: Thu, 2 May 2024 18:51:57 +0200 Subject: [PATCH] drm/panthor: Fix an off-by-one in the heap context retrieval logic The heap ID is used to index the heap context pool, and allocating in the [1:MAX_HEAPS_PER_POOL] leads to an off-by-one. This was originally to avoid returning a zero heap handle, but given the handle is formed with (vm_id << 16) | heap_id, with vm_id > 0, we already can't end up with a valid heap handle that's zero. v4: - s/XA_FLAGS_ALLOC1/XA_FLAGS_ALLOC/ v3: - Allocate in the [0:MAX_HEAPS_PER_POOL-1] range v2: - New patch Fixes: 9cca48fa4f89 ("drm/panthor: Add the heap logical block") Reported-by: Eric Smith Signed-off-by: Boris Brezillon Tested-by: Eric Smith Reviewed-by: Steven Price Reviewed-by: Liviu Dudau Link: https://patchwork.freedesktop.org/patch/msgid/20240502165158.1458959-5-boris.brezillon@collabora.com --- drivers/gpu/drm/panthor/panthor_heap.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/panthor/panthor_heap.c b/drivers/gpu/drm/panthor/panthor_heap.c index b0fc5b9ee8479..95a1c6c9f35e0 100644 --- a/drivers/gpu/drm/panthor/panthor_heap.c +++ b/drivers/gpu/drm/panthor/panthor_heap.c @@ -323,7 +323,8 @@ int panthor_heap_create(struct panthor_heap_pool *pool, if (!pool->vm) { ret = -EINVAL; } else { - ret = xa_alloc(&pool->xa, &id, heap, XA_LIMIT(1, MAX_HEAPS_PER_POOL), GFP_KERNEL); + ret = xa_alloc(&pool->xa, &id, heap, + XA_LIMIT(0, MAX_HEAPS_PER_POOL - 1), GFP_KERNEL); if (!ret) { void *gpu_ctx = panthor_get_heap_ctx(pool, id); @@ -543,7 +544,7 @@ panthor_heap_pool_create(struct panthor_device *ptdev, struct panthor_vm *vm) pool->vm = vm; pool->ptdev = ptdev; init_rwsem(&pool->lock); - xa_init_flags(&pool->xa, XA_FLAGS_ALLOC1); + xa_init_flags(&pool->xa, XA_FLAGS_ALLOC); kref_init(&pool->refcount); pool->gpu_contexts = panthor_kernel_bo_create(ptdev, vm, bosize, -- 2.30.2