[PATCH] drm/cma-helper: Fix drm_gem_cma_free_object() - Linux-stable-mirror

26 Apr 2019

The logic for freeing an imported buffer with a virtual address is
broken. It will free the buffer instead of unmapping the dma buf.
Fix by reversing the if ladder and first check if the buffer is imported.
Fixes: b9068cde51ee ("drm/cma-helper: Add DRM_GEM_CMA_VMAP_DRIVER_OPS")
Cc: stable@vger.kernel.org
Reported-by: "Li, Tingqian" tingqian.li@intel.com
Signed-off-by: Noralf Trønnes noralf@tronnes.org
---
This bug is present in 5.0 and it only affects tinydrm drivers that import
buffers, which is rare if anyone at all is doing it. I'll apply this to
drm-misc-next and let it trickle down through stable unless someone thinks
otherwise.
Noralf.
drivers/gpu/drm/drm_gem_cma_helper.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/drm_gem_cma_helper.c b/drivers/gpu/drm/drm_gem_cma_helper.c
index cc26625b4b33..e01ceed09e67 100644
--- a/drivers/gpu/drm/drm_gem_cma_helper.c
+++ b/drivers/gpu/drm/drm_gem_cma_helper.c
@@ -186,13 +186,13 @@ void drm_gem_cma_free_object(struct drm_gem_object *gem_obj)
cma_obj = to_drm_gem_cma_obj(gem_obj);
-	if (cma_obj->vaddr) {
-		dma_free_wc(gem_obj->dev->dev, cma_obj->base.size,
-			    cma_obj->vaddr, cma_obj->paddr);
-	} else if (gem_obj->import_attach) {
+	if (gem_obj->import_attach) {
    	if (cma_obj->vaddr)
    		dma_buf_vunmap(gem_obj->import_attach->dmabuf, cma_obj->vaddr);
    	drm_prime_gem_destroy(gem_obj, cma_obj->sgt);
+	} else if (cma_obj->vaddr) {
+		dma_free_wc(gem_obj->dev->dev, cma_obj->base.size,
+			    cma_obj->vaddr, cma_obj->paddr);
    }
drm_gem_object_release(gem_obj);
-- 
2.20.1


    