From patchwork Sat May 7 16:03:27 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Daniel Vetter X-Patchwork-Id: 764522 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id p47G4Chb002203 for ; Sat, 7 May 2011 16:04:32 GMT Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 04E539E997 for ; Sat, 7 May 2011 09:04:12 -0700 (PDT) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-wy0-f177.google.com (mail-wy0-f177.google.com [74.125.82.177]) by gabe.freedesktop.org (Postfix) with ESMTP id 6EF3D9E759; Sat, 7 May 2011 09:03:39 -0700 (PDT) Received: by wyb28 with SMTP id 28so3849884wyb.36 for ; Sat, 07 May 2011 09:03:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; h=domainkey-signature:from:to:cc:subject:date:message-id:x-mailer :in-reply-to:references:mime-version:content-type :content-transfer-encoding; bh=Z3S2AxAgVwccmLtQqgbMPNR/0YhGoNdGBuBu4d1eaeI=; b=aTCNIh4TuzrFTBze8/MLcHdn/Z3SRlYnVQzPV4n/LNXD5aZI/7/YKhiVI+Ag4ip0/Y YV/Qb0dAubaTyKk+U5Lo7nwlyGRZktPo9sg3zuksbmXsDUBtG2qhkqtm1L6DaIF1U2lT 2GuobRXuQDN4w1IWw8pAJwryVCc5F6nwRwIq0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=ffwll.ch; s=google; h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references :mime-version:content-type:content-transfer-encoding; b=LhJzyzpksbC13VuO/SSqvPHfjHW8kjJ7CNinmrP3wyiMn1eYyik5D0CtnRcWKvAid0 xKdOpSruWkbQaUMADyb/J3WMtUYehZ8snIabR5rTiXrnqIvUVc3DZVxpLeE6/wqXvf1D ncIhXDRMBKvzBQ4cjAnri6MnTVmtn+zuUQykw= Received: by 10.227.203.145 with SMTP id fi17mr5055115wbb.106.1304784218518; Sat, 07 May 2011 09:03:38 -0700 (PDT) Received: from localhost.localdomain (cable-static-216-166.intergga.ch [87.102.216.166]) by mx.google.com with ESMTPS id bs4sm2658282wbb.52.2011.05.07.09.03.37 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 07 May 2011 09:03:37 -0700 (PDT) From: Daniel Vetter To: Ben Skeggs Subject: [PATCH] drm/nouveau: release vga_ram allocation before tearing down mm's Date: Sat, 7 May 2011 18:03:27 +0200 Message-Id: <1304784207-18456-1-git-send-email-daniel.vetter@ffwll.ch> X-Mailer: git-send-email 1.7.5.1 In-Reply-To: <20110507144519.12cb3d4f@neptune.home> References: <20110507144519.12cb3d4f@neptune.home> MIME-Version: 1.0 Cc: nouveau@lists.freedesktop.org, bonbons@linux-vserver.org, dri-devel@lists.freedesktop.org, Daniel Vetter X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org Errors-To: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter1.kernel.org [140.211.167.41]); Sat, 07 May 2011 16:04:32 +0000 (UTC) X-MIME-Autoconverted: from base64 to 8bit by demeter1.kernel.org id p47G4Chb002203 Otherwise we have a use-after free. Tested-and-Reported-by: Bruno Prémont Signed-off-by: Daniel Vetter --- drivers/gpu/drm/nouveau/nouveau_mem.c | 2 -- drivers/gpu/drm/nouveau/nouveau_state.c | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nouveau_mem.c b/drivers/gpu/drm/nouveau/nouveau_mem.c index 5045f8b..c3e953b 100644 --- a/drivers/gpu/drm/nouveau/nouveau_mem.c +++ b/drivers/gpu/drm/nouveau/nouveau_mem.c @@ -152,8 +152,6 @@ nouveau_mem_vram_fini(struct drm_device *dev) { struct drm_nouveau_private *dev_priv = dev->dev_private; - nouveau_bo_ref(NULL, &dev_priv->vga_ram); - ttm_bo_device_release(&dev_priv->ttm.bdev); nouveau_ttm_global_release(dev_priv); diff --git a/drivers/gpu/drm/nouveau/nouveau_state.c b/drivers/gpu/drm/nouveau/nouveau_state.c index a30adec..1fe6503 100644 --- a/drivers/gpu/drm/nouveau/nouveau_state.c +++ b/drivers/gpu/drm/nouveau/nouveau_state.c @@ -768,6 +768,8 @@ static void nouveau_card_takedown(struct drm_device *dev) engine->mc.takedown(dev); engine->display.late_takedown(dev); + nouveau_bo_ref(NULL, &dev_priv->vga_ram); + mutex_lock(&dev->struct_mutex); ttm_bo_clean_mm(&dev_priv->ttm.bdev, TTM_PL_VRAM); ttm_bo_clean_mm(&dev_priv->ttm.bdev, TTM_PL_TT);