Revert "ttm: Include the 'struct dev' when using the DMA API."

This reverts commit 5a893fc28f0393adb7c885a871b8c59e623fd528.

This causes a use after free in the ttm free alloc pages path,
when it tries to get the be after the be has been destroyed.

Signed-off-by: Dave Airlie <airlied@redhat.com>

7 files changed, 10 insertions, 18 deletions

diff --git a/drivers/gpu/drm/nouveau/nouveau_mem.c b/drivers/gpu/drm/nouveau/nouveau_mem.c
index 2b4e5e912110..123969dd4f56 100644
--- a/drivers/gpu/drm/nouveau/nouveau_mem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_mem.c
@@ -409,7 +409,6 @@ nouveau_mem_vram_init(struct drm_device *dev)
         if (ret)
                 return ret;
 
-        dev_priv->ttm.bdev.dev = dev->dev;
         ret = ttm_bo_device_init(&dev_priv->ttm.bdev,
                                  dev_priv->ttm.bo_global_ref.ref.object,
                                  &nouveau_bo_driver, DRM_FILE_PAGE_OFFSET,
diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c
index 177adc884b74..df5734d0c4af 100644
--- a/drivers/gpu/drm/radeon/radeon_ttm.c
+++ b/drivers/gpu/drm/radeon/radeon_ttm.c
@@ -513,7 +513,6 @@ int radeon_ttm_init(struct radeon_device *rdev)
         if (r) {
                 return r;
         }
-        rdev->mman.bdev.dev = rdev->dev;
         /* No others user of address space so set it to 0 */
         r = ttm_bo_device_init(&rdev->mman.bdev,
                                rdev->mman.bo_global_ref.ref.object,
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
index 35849dbf3ab5..737a2a2e46a5 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
@@ -664,7 +664,7 @@ out:
  */
 int ttm_get_pages(struct list_head *pages, int flags,
                   enum ttm_caching_state cstate, unsigned count,
-                  dma_addr_t *dma_address, struct device *dev)
+                  dma_addr_t *dma_address)
 {
         struct ttm_page_pool *pool = ttm_get_pool(flags, cstate);
         struct page *p = NULL;
@@ -685,7 +685,7 @@ int ttm_get_pages(struct list_head *pages, int flags,
                 for (r = 0; r < count; ++r) {
                         if ((flags & TTM_PAGE_FLAG_DMA32) && dma_address) {
                                 void *addr;
-                                addr = dma_alloc_coherent(dev, PAGE_SIZE,
+                                addr = dma_alloc_coherent(NULL, PAGE_SIZE,
                                                           &dma_address[r],
                                                           gfp_flags);
                                 if (addr == NULL)
@@ -730,7 +730,7 @@ int ttm_get_pages(struct list_head *pages, int flags,
                         printk(KERN_ERR TTM_PFX
                                "Failed to allocate extra pages "
                                "for large request.");
-                        ttm_put_pages(pages, 0, flags, cstate, NULL, NULL);
+                        ttm_put_pages(pages, 0, flags, cstate, NULL);
                         return r;
                 }
         }
@@ -741,8 +741,7 @@ int ttm_get_pages(struct list_head *pages, int flags,
 
 /* Put all pages in pages list to correct pool to wait for reuse */
 void ttm_put_pages(struct list_head *pages, unsigned page_count, int flags,
-                   enum ttm_caching_state cstate, dma_addr_t *dma_address,
-                   struct device *dev)
+                   enum ttm_caching_state cstate, dma_addr_t *dma_address)
 {
         unsigned long irq_flags;
         struct ttm_page_pool *pool = ttm_get_pool(flags, cstate);
@@ -758,7 +757,7 @@ void ttm_put_pages(struct list_head *pages, unsigned page_count, int flags,
                                 void *addr = page_address(p);
                                 WARN_ON(!addr || !dma_address[r]);
                                 if (addr)
-                                        dma_free_coherent(dev, PAGE_SIZE,
+                                        dma_free_coherent(NULL, PAGE_SIZE,
                                                           addr,
                                                           dma_address[r]);
                                 dma_address[r] = 0;
diff --git a/drivers/gpu/drm/ttm/ttm_tt.c b/drivers/gpu/drm/ttm/ttm_tt.c
index 0f8fc9ff0c53..86d5b1745a45 100644
--- a/drivers/gpu/drm/ttm/ttm_tt.c
+++ b/drivers/gpu/drm/ttm/ttm_tt.c
@@ -110,7 +110,7 @@ static struct page *__ttm_tt_get_page(struct ttm_tt *ttm, int index)
                 INIT_LIST_HEAD(&h);
 
                 ret = ttm_get_pages(&h, ttm->page_flags, ttm->caching_state, 1,
-                                    &ttm->dma_address[index], ttm->be->bdev->dev);
+                                    &ttm->dma_address[index]);
 
                 if (ret != 0)
                         return NULL;
@@ -304,7 +304,7 @@ static void ttm_tt_free_alloced_pages(struct ttm_tt *ttm)
                 }
         }
         ttm_put_pages(&h, count, ttm->page_flags, ttm->caching_state,
-                      ttm->dma_address, ttm->be->bdev->dev);
+                      ttm->dma_address);
         ttm->state = tt_unpopulated;
         ttm->first_himem_page = ttm->num_pages;
         ttm->last_lomem_page = -1;
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
index df04661e2b93..96949b93d920 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
@@ -322,7 +322,7 @@ static int vmw_driver_load(struct drm_device *dev, unsigned long chipset)
         ttm_lock_set_kill(&dev_priv->fbdev_master.lock, false, SIGTERM);
         dev_priv->active_master = &dev_priv->fbdev_master;
 
-        dev_priv->bdev.dev = dev->dev;
+
         ret = ttm_bo_device_init(&dev_priv->bdev,
                                  dev_priv->bo_global_ref.ref.object,
                                  &vmw_bo_driver, VMWGFX_FILE_PAGE_OFFSET,
diff --git a/include/drm/ttm/ttm_bo_driver.h b/include/drm/ttm/ttm_bo_driver.h
index 38ff06822609..efed0820d9fa 100644
--- a/include/drm/ttm/ttm_bo_driver.h
+++ b/include/drm/ttm/ttm_bo_driver.h
@@ -551,7 +551,6 @@ struct ttm_bo_device {
         struct list_head device_list;
         struct ttm_bo_global *glob;
         struct ttm_bo_driver *driver;
-        struct device *dev;
         rwlock_t vm_lock;
         struct ttm_mem_type_manager man[TTM_NUM_MEM_TYPES];
         spinlock_t fence_lock;
diff --git a/include/drm/ttm/ttm_page_alloc.h b/include/drm/ttm/ttm_page_alloc.h
index ccb6b7a240e2..8062890f725e 100644
--- a/include/drm/ttm/ttm_page_alloc.h
+++ b/include/drm/ttm/ttm_page_alloc.h
@@ -37,14 +37,12 @@
  * @cstate: ttm caching state for the page.
  * @count: number of pages to allocate.
  * @dma_address: The DMA (bus) address of pages (if TTM_PAGE_FLAG_DMA32 set).
- * @dev: struct device for appropiate DMA accounting.
  */
 int ttm_get_pages(struct list_head *pages,
                   int flags,
                   enum ttm_caching_state cstate,
                   unsigned count,
-                  dma_addr_t *dma_address,
-                  struct device *dev);
+                  dma_addr_t *dma_address);
 /**
  * Put linked list of pages to pool.
  *
@@ -54,14 +52,12 @@ int ttm_get_pages(struct list_head *pages,
  * @flags: ttm flags for page allocation.
  * @cstate: ttm caching state.
  * @dma_address: The DMA (bus) address of pages (if TTM_PAGE_FLAG_DMA32 set).
- * @dev: struct device for appropiate DMA accounting.
  */
 void ttm_put_pages(struct list_head *pages,
                    unsigned page_count,
                    int flags,
                    enum ttm_caching_state cstate,
-                   dma_addr_t *dma_address,
-                   struct device *dev);
+                   dma_addr_t *dma_address);
 /**
  * Initialize pool allocator.
  */