Commit 43f78979 authored by Aleksi Torhamo's avatar Aleksi Torhamo Committed by Ben Skeggs

drm/nvc0/fb: fix crash when different mutex is used to protect same list

Fixes regression introduced in commit 861d2107
"drm/nouveau/fb: merge fb/vram and port to subdev interfaces"

nv50_fb_vram_{new,del} functions were changed to use
nouveau_subdev->mutex instead of the old nouveau_mm->mutex.
nvc0_fb_vram_new still uses the nouveau_mm->mutex, but nvc0 doesn't
have its own fb_vram_del function, using nv50_fb_vram_del instead.
Because of this, on nvc0 a different mutex ends up being used to protect
additions and deletions to the same list.

This patch is a -stable candidate for 3.7.
Signed-off-by: default avatarAleksi Torhamo <aleksi@torhamo.net>
Reported-by: default avatarRoy Spliet <r.spliet@student.tudelft.nl>
Tested-by: default avatarRoy Spliet <r.spliet@student.tudelft.nl>
Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
Cc: stable@vger.kernel.org
parent d19528a9
...@@ -145,14 +145,14 @@ nvc0_fb_vram_new(struct nouveau_fb *pfb, u64 size, u32 align, u32 ncmin, ...@@ -145,14 +145,14 @@ nvc0_fb_vram_new(struct nouveau_fb *pfb, u64 size, u32 align, u32 ncmin,
mem->memtype = type; mem->memtype = type;
mem->size = size; mem->size = size;
mutex_lock(&mm->mutex); mutex_lock(&pfb->base.mutex);
do { do {
if (back) if (back)
ret = nouveau_mm_tail(mm, 1, size, ncmin, align, &r); ret = nouveau_mm_tail(mm, 1, size, ncmin, align, &r);
else else
ret = nouveau_mm_head(mm, 1, size, ncmin, align, &r); ret = nouveau_mm_head(mm, 1, size, ncmin, align, &r);
if (ret) { if (ret) {
mutex_unlock(&mm->mutex); mutex_unlock(&pfb->base.mutex);
pfb->ram.put(pfb, &mem); pfb->ram.put(pfb, &mem);
return ret; return ret;
} }
...@@ -160,7 +160,7 @@ nvc0_fb_vram_new(struct nouveau_fb *pfb, u64 size, u32 align, u32 ncmin, ...@@ -160,7 +160,7 @@ nvc0_fb_vram_new(struct nouveau_fb *pfb, u64 size, u32 align, u32 ncmin,
list_add_tail(&r->rl_entry, &mem->regions); list_add_tail(&r->rl_entry, &mem->regions);
size -= r->length; size -= r->length;
} while (size); } while (size);
mutex_unlock(&mm->mutex); mutex_unlock(&pfb->base.mutex);
r = list_first_entry(&mem->regions, struct nouveau_mm_node, rl_entry); r = list_first_entry(&mem->regions, struct nouveau_mm_node, rl_entry);
mem->offset = (u64)r->offset << 12; mem->offset = (u64)r->offset << 12;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment