From b129ff30acea495b1455cf8d6e1d86fdb87d22d4 Mon Sep 17 00:00:00 2001 From: Matthew Auld Date: Wed, 8 Feb 2023 14:53:17 +0000 Subject: drm/qxl: handle NULL bo->resource in move callback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ttm bo now initially has NULL bo->resource, and leaves the driver the handle that. However it looks like we forgot to handle that for qxl. It looks like this will just null-ptr-deref in qxl_bo_move(), if bo->resource is NULL. Fix this by calling move_null() if the new resource is TTM_PL_SYSTEM, otherwise do the multi-hop sequence to ensure can safely call into ttm_bo_move_memcpy(), since it might also need to clear the memory. This should give the same behaviour as before. Fixes: 180253782038 ("drm/ttm: stop allocating dummy resources during BO creation") Signed-off-by: Matthew Auld Cc: Christian König Link: https://patchwork.freedesktop.org/patch/msgid/20230208145319.397235-2-matthew.auld@intel.com Acked-by: Christian König Signed-off-by: Christian König --- drivers/gpu/drm/qxl/qxl_ttm.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'drivers/gpu/drm/qxl/qxl_ttm.c') diff --git a/drivers/gpu/drm/qxl/qxl_ttm.c b/drivers/gpu/drm/qxl/qxl_ttm.c index a92a5b0d4c25..1a82629bce3f 100644 --- a/drivers/gpu/drm/qxl/qxl_ttm.c +++ b/drivers/gpu/drm/qxl/qxl_ttm.c @@ -143,6 +143,17 @@ static int qxl_bo_move(struct ttm_buffer_object *bo, bool evict, struct ttm_resource *old_mem = bo->resource; int ret; + if (!old_mem) { + if (new_mem->mem_type != TTM_PL_SYSTEM) { + hop->mem_type = TTM_PL_SYSTEM; + hop->flags = TTM_PL_FLAG_TEMPORARY; + return -EMULTIHOP; + } + + ttm_bo_move_null(bo, new_mem); + return 0; + } + qxl_bo_move_notify(bo, new_mem); ret = ttm_bo_wait_ctx(bo, ctx); -- cgit v1.2.3