aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorLuca Barbieri <luca@luca-barbieri.com>2010-01-05 22:02:45 -0500
committerDave Airlie <airlied@redhat.com>2010-01-10 23:41:17 -0500
commitd6126c5c8b2019658aadc9754dca80a7573dbff5 (patch)
tree8c16737a07bf7b80b8048c3f13802c74ef5662b8 /drivers
parentdc8d76cac942e7344a72ad18afb90fa46cf20bb4 (diff)
drm/nouveau: Fix null deref in nouveau_fence_emit due to deleted fence
Currently Nouveau will unvalidate all buffers if it is forced to wait on one, and then start revalidating from the beginning. While doing so, it destroys the operation fence, causing nouveau_fence_emit to crash. This patch fixes this bug by taking the fence object out of validate_op and creating it just before emit. The fence pointer is initialized to 0 and unref'ed unconditionally. In addition to fixing the bug, this prevents its reintroduction and simplifies the code. Signed-off-by: Luca Barbieri <luca@luca-barbieri.com> Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/gpu/drm/nouveau/nouveau_gem.c33
1 files changed, 13 insertions, 20 deletions
diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
index 18fd8ac9fca7..2009db2426c3 100644
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -220,7 +220,6 @@ nouveau_gem_set_domain(struct drm_gem_object *gem, uint32_t read_domains,
220} 220}
221 221
222struct validate_op { 222struct validate_op {
223 struct nouveau_fence *fence;
224 struct list_head vram_list; 223 struct list_head vram_list;
225 struct list_head gart_list; 224 struct list_head gart_list;
226 struct list_head both_list; 225 struct list_head both_list;
@@ -252,17 +251,11 @@ validate_fini_list(struct list_head *list, struct nouveau_fence *fence)
252} 251}
253 252
254static void 253static void
255validate_fini(struct validate_op *op, bool success) 254validate_fini(struct validate_op *op, struct nouveau_fence* fence)
256{ 255{
257 struct nouveau_fence *fence = op->fence; 256 validate_fini_list(&op->vram_list, fence);
258 257 validate_fini_list(&op->gart_list, fence);
259 if (unlikely(!success)) 258 validate_fini_list(&op->both_list, fence);
260 op->fence = NULL;
261
262 validate_fini_list(&op->vram_list, op->fence);
263 validate_fini_list(&op->gart_list, op->fence);
264 validate_fini_list(&op->both_list, op->fence);
265 nouveau_fence_unref((void *)&fence);
266} 259}
267 260
268static int 261static int
@@ -420,10 +413,6 @@ nouveau_gem_pushbuf_validate(struct nouveau_channel *chan,
420 INIT_LIST_HEAD(&op->gart_list); 413 INIT_LIST_HEAD(&op->gart_list);
421 INIT_LIST_HEAD(&op->both_list); 414 INIT_LIST_HEAD(&op->both_list);
422 415
423 ret = nouveau_fence_new(chan, &op->fence, false);
424 if (ret)
425 return ret;
426
427 if (nr_buffers == 0) 416 if (nr_buffers == 0)
428 return 0; 417 return 0;
429 418
@@ -541,6 +530,7 @@ nouveau_gem_ioctl_pushbuf(struct drm_device *dev, void *data,
541 struct drm_nouveau_gem_pushbuf_bo *bo = NULL; 530 struct drm_nouveau_gem_pushbuf_bo *bo = NULL;
542 struct nouveau_channel *chan; 531 struct nouveau_channel *chan;
543 struct validate_op op; 532 struct validate_op op;
533 struct nouveau_fence* fence = 0;
544 uint32_t *pushbuf = NULL; 534 uint32_t *pushbuf = NULL;
545 int ret = 0, do_reloc = 0, i; 535 int ret = 0, do_reloc = 0, i;
546 536
@@ -597,7 +587,7 @@ nouveau_gem_ioctl_pushbuf(struct drm_device *dev, void *data,
597 587
598 OUT_RINGp(chan, pushbuf, req->nr_dwords); 588 OUT_RINGp(chan, pushbuf, req->nr_dwords);
599 589
600 ret = nouveau_fence_emit(op.fence); 590 ret = nouveau_fence_new(chan, &fence, true);
601 if (ret) { 591 if (ret) {
602 NV_ERROR(dev, "error fencing pushbuf: %d\n", ret); 592 NV_ERROR(dev, "error fencing pushbuf: %d\n", ret);
603 WIND_RING(chan); 593 WIND_RING(chan);
@@ -605,7 +595,7 @@ nouveau_gem_ioctl_pushbuf(struct drm_device *dev, void *data,
605 } 595 }
606 596
607 if (nouveau_gem_pushbuf_sync(chan)) { 597 if (nouveau_gem_pushbuf_sync(chan)) {
608 ret = nouveau_fence_wait(op.fence, NULL, false, false); 598 ret = nouveau_fence_wait(fence, NULL, false, false);
609 if (ret) { 599 if (ret) {
610 for (i = 0; i < req->nr_dwords; i++) 600 for (i = 0; i < req->nr_dwords; i++)
611 NV_ERROR(dev, "0x%08x\n", pushbuf[i]); 601 NV_ERROR(dev, "0x%08x\n", pushbuf[i]);
@@ -614,7 +604,8 @@ nouveau_gem_ioctl_pushbuf(struct drm_device *dev, void *data,
614 } 604 }
615 605
616out: 606out:
617 validate_fini(&op, ret == 0); 607 validate_fini(&op, fence);
608 nouveau_fence_unref((void**)&fence);
618 mutex_unlock(&dev->struct_mutex); 609 mutex_unlock(&dev->struct_mutex);
619 kfree(pushbuf); 610 kfree(pushbuf);
620 kfree(bo); 611 kfree(bo);
@@ -634,6 +625,7 @@ nouveau_gem_ioctl_pushbuf_call(struct drm_device *dev, void *data,
634 struct drm_gem_object *gem; 625 struct drm_gem_object *gem;
635 struct nouveau_bo *pbbo; 626 struct nouveau_bo *pbbo;
636 struct validate_op op; 627 struct validate_op op;
628 struct nouveau_fence* fence = 0;
637 int i, ret = 0, do_reloc = 0; 629 int i, ret = 0, do_reloc = 0;
638 630
639 NOUVEAU_CHECK_INITIALISED_WITH_RETURN; 631 NOUVEAU_CHECK_INITIALISED_WITH_RETURN;
@@ -772,7 +764,7 @@ nouveau_gem_ioctl_pushbuf_call(struct drm_device *dev, void *data,
772 OUT_RING(chan, 0); 764 OUT_RING(chan, 0);
773 } 765 }
774 766
775 ret = nouveau_fence_emit(op.fence); 767 ret = nouveau_fence_new(chan, &fence, true);
776 if (ret) { 768 if (ret) {
777 NV_ERROR(dev, "error fencing pushbuf: %d\n", ret); 769 NV_ERROR(dev, "error fencing pushbuf: %d\n", ret);
778 WIND_RING(chan); 770 WIND_RING(chan);
@@ -780,7 +772,8 @@ nouveau_gem_ioctl_pushbuf_call(struct drm_device *dev, void *data,
780 } 772 }
781 773
782out: 774out:
783 validate_fini(&op, ret == 0); 775 validate_fini(&op, fence);
776 nouveau_fence_unref((void**)&fence);
784 mutex_unlock(&dev->struct_mutex); 777 mutex_unlock(&dev->struct_mutex);
785 kfree(bo); 778 kfree(bo);
786 779