Revert "ttm: Include the 'struct dev' when using the DMA API."
authorDave Airlie <airlied@redhat.com>
Wed, 23 Feb 2011 04:24:01 +0000 (14:24 +1000)
committerDave Airlie <airlied@redhat.com>
Wed, 23 Feb 2011 04:24:01 +0000 (14:24 +1000)
This reverts commit 5a893fc28f0393adb7c885a871b8c59e623fd528.

This causes a use after free in the ttm free alloc pages path,
when it tries to get the be after the be has been destroyed.

Signed-off-by: Dave Airlie <airlied@redhat.com>
drivers/gpu/drm/nouveau/nouveau_mem.c
drivers/gpu/drm/radeon/radeon_ttm.c
drivers/gpu/drm/ttm/ttm_page_alloc.c
drivers/gpu/drm/ttm/ttm_tt.c
drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
include/drm/ttm/ttm_bo_driver.h
include/drm/ttm/ttm_page_alloc.h

index 2b4e5e91211079c8384daba149b3786a0dc8dca0..123969dd4f56984925be9e2e244f21369542ea77 100644 (file)
@@ -409,7 +409,6 @@ nouveau_mem_vram_init(struct drm_device *dev)
        if (ret)
                return ret;
 
-       dev_priv->ttm.bdev.dev = dev->dev;
        ret = ttm_bo_device_init(&dev_priv->ttm.bdev,
                                 dev_priv->ttm.bo_global_ref.ref.object,
                                 &nouveau_bo_driver, DRM_FILE_PAGE_OFFSET,
index 177adc884b74b2b419629d090aec49a7991d065a..df5734d0c4afa4d406c56efe2e0ec790e4a5d889 100644 (file)
@@ -513,7 +513,6 @@ int radeon_ttm_init(struct radeon_device *rdev)
        if (r) {
                return r;
        }
-       rdev->mman.bdev.dev = rdev->dev;
        /* No others user of address space so set it to 0 */
        r = ttm_bo_device_init(&rdev->mman.bdev,
                               rdev->mman.bo_global_ref.ref.object,
index 35849dbf3ab5f69a976f6ed44bd7b417be1307b1..737a2a2e46a58ca7ee66cbf67c0afd0583275ff6 100644 (file)
@@ -664,7 +664,7 @@ out:
  */
 int ttm_get_pages(struct list_head *pages, int flags,
                  enum ttm_caching_state cstate, unsigned count,
-                 dma_addr_t *dma_address, struct device *dev)
+                 dma_addr_t *dma_address)
 {
        struct ttm_page_pool *pool = ttm_get_pool(flags, cstate);
        struct page *p = NULL;
@@ -685,7 +685,7 @@ int ttm_get_pages(struct list_head *pages, int flags,
                for (r = 0; r < count; ++r) {
                        if ((flags & TTM_PAGE_FLAG_DMA32) && dma_address) {
                                void *addr;
-                               addr = dma_alloc_coherent(dev, PAGE_SIZE,
+                               addr = dma_alloc_coherent(NULL, PAGE_SIZE,
                                                          &dma_address[r],
                                                          gfp_flags);
                                if (addr == NULL)
@@ -730,7 +730,7 @@ int ttm_get_pages(struct list_head *pages, int flags,
                        printk(KERN_ERR TTM_PFX
                               "Failed to allocate extra pages "
                               "for large request.");
-                       ttm_put_pages(pages, 0, flags, cstate, NULL, NULL);
+                       ttm_put_pages(pages, 0, flags, cstate, NULL);
                        return r;
                }
        }
@@ -741,8 +741,7 @@ int ttm_get_pages(struct list_head *pages, int flags,
 
 /* Put all pages in pages list to correct pool to wait for reuse */
 void ttm_put_pages(struct list_head *pages, unsigned page_count, int flags,
-                  enum ttm_caching_state cstate, dma_addr_t *dma_address,
-                  struct device *dev)
+                  enum ttm_caching_state cstate, dma_addr_t *dma_address)
 {
        unsigned long irq_flags;
        struct ttm_page_pool *pool = ttm_get_pool(flags, cstate);
@@ -758,7 +757,7 @@ void ttm_put_pages(struct list_head *pages, unsigned page_count, int flags,
                                void *addr = page_address(p);
                                WARN_ON(!addr || !dma_address[r]);
                                if (addr)
-                                       dma_free_coherent(dev, PAGE_SIZE,
+                                       dma_free_coherent(NULL, PAGE_SIZE,
                                                          addr,
                                                          dma_address[r]);
                                dma_address[r] = 0;
index 0f8fc9ff0c538b927d6ffaa8a05e8d2715b92881..86d5b1745a45a09cc0dd977a0cf6b1b655bc99cd 100644 (file)
@@ -110,7 +110,7 @@ static struct page *__ttm_tt_get_page(struct ttm_tt *ttm, int index)
                INIT_LIST_HEAD(&h);
 
                ret = ttm_get_pages(&h, ttm->page_flags, ttm->caching_state, 1,
-                                   &ttm->dma_address[index], ttm->be->bdev->dev);
+                                   &ttm->dma_address[index]);
 
                if (ret != 0)
                        return NULL;
@@ -304,7 +304,7 @@ static void ttm_tt_free_alloced_pages(struct ttm_tt *ttm)
                }
        }
        ttm_put_pages(&h, count, ttm->page_flags, ttm->caching_state,
-                     ttm->dma_address, ttm->be->bdev->dev);
+                     ttm->dma_address);
        ttm->state = tt_unpopulated;
        ttm->first_himem_page = ttm->num_pages;
        ttm->last_lomem_page = -1;
index df04661e2b939c2475b6f3ea5ff9086e9e1ddd3b..96949b93d9205fd4e2f925f40c8fc48f35642045 100644 (file)
@@ -322,7 +322,7 @@ static int vmw_driver_load(struct drm_device *dev, unsigned long chipset)
        ttm_lock_set_kill(&dev_priv->fbdev_master.lock, false, SIGTERM);
        dev_priv->active_master = &dev_priv->fbdev_master;
 
-       dev_priv->bdev.dev = dev->dev;
+
        ret = ttm_bo_device_init(&dev_priv->bdev,
                                 dev_priv->bo_global_ref.ref.object,
                                 &vmw_bo_driver, VMWGFX_FILE_PAGE_OFFSET,
index 38ff0682260927c6b95b0bbc81f00903bdbb7a30..efed0820d9fa8458671745699f44b732616baa8d 100644 (file)
@@ -551,7 +551,6 @@ struct ttm_bo_device {
        struct list_head device_list;
        struct ttm_bo_global *glob;
        struct ttm_bo_driver *driver;
-       struct device *dev;
        rwlock_t vm_lock;
        struct ttm_mem_type_manager man[TTM_NUM_MEM_TYPES];
        spinlock_t fence_lock;
index ccb6b7a240e2a3aacfbd63c5556c5eb6cc06ed18..8062890f725ef49955c231f5a09202539eebe0fc 100644 (file)
  * @cstate: ttm caching state for the page.
  * @count: number of pages to allocate.
  * @dma_address: The DMA (bus) address of pages (if TTM_PAGE_FLAG_DMA32 set).
- * @dev: struct device for appropiate DMA accounting.
  */
 int ttm_get_pages(struct list_head *pages,
                  int flags,
                  enum ttm_caching_state cstate,
                  unsigned count,
-                 dma_addr_t *dma_address,
-                 struct device *dev);
+                 dma_addr_t *dma_address);
 /**
  * Put linked list of pages to pool.
  *
@@ -54,14 +52,12 @@ int ttm_get_pages(struct list_head *pages,
  * @flags: ttm flags for page allocation.
  * @cstate: ttm caching state.
  * @dma_address: The DMA (bus) address of pages (if TTM_PAGE_FLAG_DMA32 set).
- * @dev: struct device for appropiate DMA accounting.
  */
 void ttm_put_pages(struct list_head *pages,
                   unsigned page_count,
                   int flags,
                   enum ttm_caching_state cstate,
-                  dma_addr_t *dma_address,
-                  struct device *dev);
+                  dma_addr_t *dma_address);
 /**
  * Initialize pool allocator.
  */