Message ID | 1304784207-18456-1-git-send-email-daniel.vetter@ffwll.ch (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On Sat, 2011-05-07 at 18:03 +0200, Daniel Vetter wrote: > Otherwise we have a use-after free. > > Tested-and-Reported-by: Bruno Prémont <bonbons@linux-vserver.org> > Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Ah, we actually have a patch in the nouveau git tree fixing this already. I'll get this upstream ASAP. Ben. > --- > drivers/gpu/drm/nouveau/nouveau_mem.c | 2 -- > drivers/gpu/drm/nouveau/nouveau_state.c | 2 ++ > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/nouveau/nouveau_mem.c b/drivers/gpu/drm/nouveau/nouveau_mem.c > index 5045f8b..c3e953b 100644 > --- a/drivers/gpu/drm/nouveau/nouveau_mem.c > +++ b/drivers/gpu/drm/nouveau/nouveau_mem.c > @@ -152,8 +152,6 @@ nouveau_mem_vram_fini(struct drm_device *dev) > { > struct drm_nouveau_private *dev_priv = dev->dev_private; > > - nouveau_bo_ref(NULL, &dev_priv->vga_ram); > - > ttm_bo_device_release(&dev_priv->ttm.bdev); > > nouveau_ttm_global_release(dev_priv); > diff --git a/drivers/gpu/drm/nouveau/nouveau_state.c b/drivers/gpu/drm/nouveau/nouveau_state.c > index a30adec..1fe6503 100644 > --- a/drivers/gpu/drm/nouveau/nouveau_state.c > +++ b/drivers/gpu/drm/nouveau/nouveau_state.c > @@ -768,6 +768,8 @@ static void nouveau_card_takedown(struct drm_device *dev) > engine->mc.takedown(dev); > engine->display.late_takedown(dev); > > + nouveau_bo_ref(NULL, &dev_priv->vga_ram); > + > mutex_lock(&dev->struct_mutex); > ttm_bo_clean_mm(&dev_priv->ttm.bdev, TTM_PL_VRAM); > ttm_bo_clean_mm(&dev_priv->ttm.bdev, TTM_PL_TT);
diff --git a/drivers/gpu/drm/nouveau/nouveau_mem.c b/drivers/gpu/drm/nouveau/nouveau_mem.c index 5045f8b..c3e953b 100644 --- a/drivers/gpu/drm/nouveau/nouveau_mem.c +++ b/drivers/gpu/drm/nouveau/nouveau_mem.c @@ -152,8 +152,6 @@ nouveau_mem_vram_fini(struct drm_device *dev) { struct drm_nouveau_private *dev_priv = dev->dev_private; - nouveau_bo_ref(NULL, &dev_priv->vga_ram); - ttm_bo_device_release(&dev_priv->ttm.bdev); nouveau_ttm_global_release(dev_priv); diff --git a/drivers/gpu/drm/nouveau/nouveau_state.c b/drivers/gpu/drm/nouveau/nouveau_state.c index a30adec..1fe6503 100644 --- a/drivers/gpu/drm/nouveau/nouveau_state.c +++ b/drivers/gpu/drm/nouveau/nouveau_state.c @@ -768,6 +768,8 @@ static void nouveau_card_takedown(struct drm_device *dev) engine->mc.takedown(dev); engine->display.late_takedown(dev); + nouveau_bo_ref(NULL, &dev_priv->vga_ram); + mutex_lock(&dev->struct_mutex); ttm_bo_clean_mm(&dev_priv->ttm.bdev, TTM_PL_VRAM); ttm_bo_clean_mm(&dev_priv->ttm.bdev, TTM_PL_TT);
Otherwise we have a use-after free. Tested-and-Reported-by: Bruno Prémont <bonbons@linux-vserver.org> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> --- drivers/gpu/drm/nouveau/nouveau_mem.c | 2 -- drivers/gpu/drm/nouveau/nouveau_state.c | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-)