diff options
| author | Ben Skeggs <bskeggs@redhat.com> | 2011-08-22 03:15:04 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-10-25 07:10:15 +0200 |
| commit | 726e2766e04f31620d61cbb8bd9fbf7abe962d02 (patch) | |
| tree | 2eb4d451cec0837e096ec5ec2ce86b27a000d00f | |
| parent | 379791a66688385cf75c8aece1a81fc68f536cd4 (diff) | |
| download | kernel_samsung_smdk4412-726e2766e04f31620d61cbb8bd9fbf7abe962d02.zip kernel_samsung_smdk4412-726e2766e04f31620d61cbb8bd9fbf7abe962d02.tar.gz kernel_samsung_smdk4412-726e2766e04f31620d61cbb8bd9fbf7abe962d02.tar.bz2 | |
drm/ttm: unbind ttm before destroying node in accel move cleanup
commit eac2095398668f989a3dd8d00be1b87850d78c01 upstream.
Nouveau makes the assumption that if a TTM is bound there will be a mm_node
around for it and the backwards ordering here resulted in a use-after-free
on some eviction paths.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Cc: Josh Boyer <jwboyer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| -rw-r--r-- | drivers/gpu/drm/ttm/ttm_bo_util.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/gpu/drm/ttm/ttm_bo_util.c b/drivers/gpu/drm/ttm/ttm_bo_util.c index 77dbf40..ae3c6f5 100644 --- a/drivers/gpu/drm/ttm/ttm_bo_util.c +++ b/drivers/gpu/drm/ttm/ttm_bo_util.c @@ -635,13 +635,13 @@ int ttm_bo_move_accel_cleanup(struct ttm_buffer_object *bo, if (ret) return ret; - ttm_bo_free_old_node(bo); if ((man->flags & TTM_MEMTYPE_FLAG_FIXED) && (bo->ttm != NULL)) { ttm_tt_unbind(bo->ttm); ttm_tt_destroy(bo->ttm); bo->ttm = NULL; } + ttm_bo_free_old_node(bo); } else { /** * This should help pipeline ordinary buffer moves. |