Commit eac20953 authored Aug 22, 2011 by Ben Skeggs Committed by Dave Airlie Aug 23, 2011

drm/ttm: unbind ttm before destroying node in accel move cleanup



Nouveau makes the assumption that if a TTM is bound there will be a mm_node
around for it and the backwards ordering here resulted in a use-after-free
on some eviction paths.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

parent 7c4c3960

drivers/gpu/drm/ttm/ttm_bo_util.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -635,13 +635,13 @@ int ttm_bo_move_accel_cleanup(struct ttm_buffer_object *bo,
		if (ret)
		return ret;

		ttm_bo_free_old_node(bo);
		if ((man->flags & TTM_MEMTYPE_FLAG_FIXED) &&
		(bo->ttm != NULL)) {
		ttm_tt_unbind(bo->ttm);
		ttm_tt_destroy(bo->ttm);
		bo->ttm = NULL;
		}
		ttm_bo_free_old_node(bo);
		} else {
		/**
		* This should help pipeline ordinary buffer moves.