drm/nouveau: release vga_ram allocation before tearing down mm's
diff mbox

Message ID 1304784207-18456-1-git-send-email-daniel.vetter@ffwll.ch
State New, archived
Headers show

Commit Message

Daniel Vetter May 7, 2011, 4:03 p.m. UTC
Otherwise we have a use-after free.

Tested-and-Reported-by: Bruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
---
 drivers/gpu/drm/nouveau/nouveau_mem.c   |    2 --
 drivers/gpu/drm/nouveau/nouveau_state.c |    2 ++
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Ben Skeggs May 8, 2011, 10:39 p.m. UTC | #1
On Sat, 2011-05-07 at 18:03 +0200, Daniel Vetter wrote:
> Otherwise we have a use-after free.
> 
> Tested-and-Reported-by: Bruno Prémont <bonbons@linux-vserver.org>
> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Ah, we actually have a patch in the nouveau git tree fixing this
already.

I'll get this upstream ASAP.

Ben.

> ---
>  drivers/gpu/drm/nouveau/nouveau_mem.c   |    2 --
>  drivers/gpu/drm/nouveau/nouveau_state.c |    2 ++
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/nouveau/nouveau_mem.c b/drivers/gpu/drm/nouveau/nouveau_mem.c
> index 5045f8b..c3e953b 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_mem.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_mem.c
> @@ -152,8 +152,6 @@ nouveau_mem_vram_fini(struct drm_device *dev)
>  {
>  	struct drm_nouveau_private *dev_priv = dev->dev_private;
>  
> -	nouveau_bo_ref(NULL, &dev_priv->vga_ram);
> -
>  	ttm_bo_device_release(&dev_priv->ttm.bdev);
>  
>  	nouveau_ttm_global_release(dev_priv);
> diff --git a/drivers/gpu/drm/nouveau/nouveau_state.c b/drivers/gpu/drm/nouveau/nouveau_state.c
> index a30adec..1fe6503 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_state.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_state.c
> @@ -768,6 +768,8 @@ static void nouveau_card_takedown(struct drm_device *dev)
>  	engine->mc.takedown(dev);
>  	engine->display.late_takedown(dev);
>  
> +	nouveau_bo_ref(NULL, &dev_priv->vga_ram);
> +
>  	mutex_lock(&dev->struct_mutex);
>  	ttm_bo_clean_mm(&dev_priv->ttm.bdev, TTM_PL_VRAM);
>  	ttm_bo_clean_mm(&dev_priv->ttm.bdev, TTM_PL_TT);

Patch
diff mbox

diff --git a/drivers/gpu/drm/nouveau/nouveau_mem.c b/drivers/gpu/drm/nouveau/nouveau_mem.c
index 5045f8b..c3e953b 100644
--- a/drivers/gpu/drm/nouveau/nouveau_mem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_mem.c
@@ -152,8 +152,6 @@  nouveau_mem_vram_fini(struct drm_device *dev)
 {
 	struct drm_nouveau_private *dev_priv = dev->dev_private;
 
-	nouveau_bo_ref(NULL, &dev_priv->vga_ram);
-
 	ttm_bo_device_release(&dev_priv->ttm.bdev);
 
 	nouveau_ttm_global_release(dev_priv);
diff --git a/drivers/gpu/drm/nouveau/nouveau_state.c b/drivers/gpu/drm/nouveau/nouveau_state.c
index a30adec..1fe6503 100644
--- a/drivers/gpu/drm/nouveau/nouveau_state.c
+++ b/drivers/gpu/drm/nouveau/nouveau_state.c
@@ -768,6 +768,8 @@  static void nouveau_card_takedown(struct drm_device *dev)
 	engine->mc.takedown(dev);
 	engine->display.late_takedown(dev);
 
+	nouveau_bo_ref(NULL, &dev_priv->vga_ram);
+
 	mutex_lock(&dev->struct_mutex);
 	ttm_bo_clean_mm(&dev_priv->ttm.bdev, TTM_PL_VRAM);
 	ttm_bo_clean_mm(&dev_priv->ttm.bdev, TTM_PL_TT);