| From b549c252b1292aea959cd9b83537fcb9384a6112 Mon Sep 17 00:00:00 2001 |
| From: Tina Zhang <tina.zhang@intel.com> |
| Date: Tue, 25 Feb 2020 13:35:27 +0800 |
| Subject: drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime |
| |
| From: Tina Zhang <tina.zhang@intel.com> |
| |
| commit b549c252b1292aea959cd9b83537fcb9384a6112 upstream. |
| |
| Deleting dmabuf item's list head after releasing its container can lead |
| to KASAN-reported issue: |
| |
| BUG: KASAN: use-after-free in __list_del_entry_valid+0x15/0xf0 |
| Read of size 8 at addr ffff88818a4598a8 by task kworker/u8:3/13119 |
| |
| So fix this issue by puting deleting dmabuf_objs ahead of releasing its |
| container. |
| |
| Fixes: dfb6ae4e14bd6 ("drm/i915/gvt: Handle orphan dmabuf_objs") |
| Signed-off-by: Tina Zhang <tina.zhang@intel.com> |
| Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com> |
| Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com> |
| Link: http://patchwork.freedesktop.org/patch/msgid/20200225053527.8336-2-tina.zhang@intel.com |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/gpu/drm/i915/gvt/dmabuf.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/gpu/drm/i915/gvt/dmabuf.c |
| +++ b/drivers/gpu/drm/i915/gvt/dmabuf.c |
| @@ -151,12 +151,12 @@ static void dmabuf_gem_object_free(struc |
| dmabuf_obj = container_of(pos, |
| struct intel_vgpu_dmabuf_obj, list); |
| if (dmabuf_obj == obj) { |
| + list_del(pos); |
| intel_gvt_hypervisor_put_vfio_device(vgpu); |
| idr_remove(&vgpu->object_idr, |
| dmabuf_obj->dmabuf_id); |
| kfree(dmabuf_obj->info); |
| kfree(dmabuf_obj); |
| - list_del(pos); |
| break; |
| } |
| } |
