| From eac2095398668f989a3dd8d00be1b87850d78c01 Mon Sep 17 00:00:00 2001 |
| From: Ben Skeggs <bskeggs@redhat.com> |
| Date: Mon, 22 Aug 2011 03:15:04 +0000 |
| Subject: drm/ttm: unbind ttm before destroying node in accel move cleanup |
| |
| From: Ben Skeggs <bskeggs@redhat.com> |
| |
| commit eac2095398668f989a3dd8d00be1b87850d78c01 upstream. |
| |
| Nouveau makes the assumption that if a TTM is bound there will be a mm_node |
| around for it and the backwards ordering here resulted in a use-after-free |
| on some eviction paths. |
| |
| Signed-off-by: Ben Skeggs <bskeggs@redhat.com> |
| Signed-off-by: Dave Airlie <airlied@redhat.com> |
| Cc: Josh Boyer <jwboyer@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/gpu/drm/ttm/ttm_bo_util.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/gpu/drm/ttm/ttm_bo_util.c |
| +++ b/drivers/gpu/drm/ttm/ttm_bo_util.c |
| @@ -635,13 +635,13 @@ int ttm_bo_move_accel_cleanup(struct ttm |
| if (ret) |
| return ret; |
| |
| - ttm_bo_free_old_node(bo); |
| if ((man->flags & TTM_MEMTYPE_FLAG_FIXED) && |
| (bo->ttm != NULL)) { |
| ttm_tt_unbind(bo->ttm); |
| ttm_tt_destroy(bo->ttm); |
| bo->ttm = NULL; |
| } |
| + ttm_bo_free_old_node(bo); |
| } else { |
| /** |
| * This should help pipeline ordinary buffer moves. |
