From: Maarten Lankhorst Date: Thu, 8 Jan 2026 10:10:20 +0000 (+0100) Subject: drm/xe: Do not dereference ggtt_node in xe_bo.c X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9086170bfb925c90e298134791a9851ed626b873;p=thirdparty%2Fkernel%2Flinux.git drm/xe: Do not dereference ggtt_node in xe_bo.c A careful inspection of __xe_ggtt_insert_bo_at() shows that the ggtt_node can always be seen as inserted from xe_bo.c due to the way error handling is performed. The checks are also a little bit too paranoid, since we never create a bo with ggtt_node[id] initialised but not inserted into the GGTT, which can be seen by looking at __xe_ggtt_insert_bo_at() Additionally, the size of the GGTT is never bigger than 4 GB, so adding a check at that level is incorrect. Signed-off-by: Maarten Lankhorst Reviewed-by: Matthew Brost Link: https://patch.msgid.link/20260108101014.579906-14-dev@lankhorst.se --- diff --git a/drivers/gpu/drm/xe/xe_bo.c b/drivers/gpu/drm/xe/xe_bo.c index 408c74216fdf..917e50c276ac 100644 --- a/drivers/gpu/drm/xe/xe_bo.c +++ b/drivers/gpu/drm/xe/xe_bo.c @@ -1715,7 +1715,7 @@ static void xe_ttm_bo_destroy(struct ttm_buffer_object *ttm_bo) xe_assert(xe, list_empty(&ttm_bo->base.gpuva.list)); for_each_tile(tile, xe, id) - if (bo->ggtt_node[id] && bo->ggtt_node[id]->base.size) + if (bo->ggtt_node[id]) xe_ggtt_remove_bo(tile->mem.ggtt, bo); #ifdef CONFIG_PROC_FS @@ -3609,8 +3609,8 @@ void xe_bo_put(struct xe_bo *bo) might_lock(&bo->client->bos_lock); #endif for_each_tile(tile, xe_bo_device(bo), id) - if (bo->ggtt_node[id] && bo->ggtt_node[id]->ggtt) - xe_ggtt_might_lock(bo->ggtt_node[id]->ggtt); + if (bo->ggtt_node[id]) + xe_ggtt_might_lock(tile->mem.ggtt); drm_gem_object_put(&bo->ttm.base); } }