drm/ttm: unbind ttm before destroying node in accel move cleanup
authorBen Skeggs <bskeggs@redhat.com>
Mon, 22 Aug 2011 03:15:04 +0000 (03:15 +0000)
committerDave Airlie <airlied@redhat.com>
Tue, 23 Aug 2011 08:35:16 +0000 (09:35 +0100)
Nouveau makes the assumption that if a TTM is bound there will be a mm_node
around for it and the backwards ordering here resulted in a use-after-free
on some eviction paths.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
drivers/gpu/drm/ttm/ttm_bo_util.c

index 77dbf408c0d01d86e2fe27a5d3cbc836d17ab46c..ae3c6f5dd2b71acee36f863deafc3896a874010e 100644 (file)
@@ -635,13 +635,13 @@ int ttm_bo_move_accel_cleanup(struct ttm_buffer_object *bo,
                if (ret)
                        return ret;
 
-               ttm_bo_free_old_node(bo);
                if ((man->flags & TTM_MEMTYPE_FLAG_FIXED) &&
                    (bo->ttm != NULL)) {
                        ttm_tt_unbind(bo->ttm);
                        ttm_tt_destroy(bo->ttm);
                        bo->ttm = NULL;
                }
+               ttm_bo_free_old_node(bo);
        } else {
                /**
                 * This should help pipeline ordinary buffer moves.