TTM owns the pages it uses for backing buffer objects with system memory. Because of this it is absolutely illegal to mess around with the reference count of those pages. So make sure that nobody ever tries to grab an extra reference on pages allocated through the page pool. v2: handle DMA pages as well Signed-off-by: Christian König <christian.koenig@xxxxxxx> --- drivers/gpu/drm/ttm/ttm_pool.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/ttm/ttm_pool.c b/drivers/gpu/drm/ttm/ttm_pool.c index 21b61631f73a..4da736e7b5aa 100644 --- a/drivers/gpu/drm/ttm/ttm_pool.c +++ b/drivers/gpu/drm/ttm/ttm_pool.c @@ -93,9 +93,11 @@ static struct page *ttm_pool_alloc_page(struct ttm_pool *pool, gfp_t gfp_flags, if (!pool->use_dma_alloc) { p = alloc_pages(gfp_flags, order); - if (p) - p->private = order; - return p; + if (!p) + return NULL; + + p->private = order; + goto out_set_page_count; } dma = kmalloc(sizeof(*dma), GFP_KERNEL); @@ -120,6 +122,14 @@ static struct page *ttm_pool_alloc_page(struct ttm_pool *pool, gfp_t gfp_flags, dma->vaddr = (unsigned long)vaddr | order; p->private = (unsigned long)dma; + +out_set_page_count: + /* The pages are fully owned by TTM and because of this it's illegal to + * grab extra references to it or otherwise we corrupt TTMs internal + * state. Make sure nobody tries to ever increase the reference count + * of those pages. + */ + set_page_count(p, 0); return p; error_free: @@ -142,6 +152,9 @@ static void ttm_pool_free_page(struct ttm_pool *pool, enum ttm_caching caching, if (caching != ttm_cached && !PageHighMem(p)) set_pages_wb(p, 1 << order); #endif + /* See alloc why references to TTMs pages are illegal */ + WARN_ON(page_count(p)); + set_page_count(p, 1); if (!pool || !pool->use_dma_alloc) { __free_pages(p, order); -- 2.25.1