drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime

TinaZhangZW · zhenyw · commit b549c252b129 · 2020-02-25T16:14:20.000+08:00
Deleting dmabuf item's list head after releasing its container can lead to KASAN-reported issue: BUG: KASAN: use-after-free in __list_del_entry_valid+0x15/0xf0 Read of size 8 at addr ffff88818a4598a8 by task kworker/u8:3/13119 So fix this issue by puting deleting dmabuf_objs ahead of releasing its container. Fixes: dfb6ae4 ("drm/i915/gvt: Handle orphan dmabuf_objs") Signed-off-by: Tina Zhang <tina.zhang@intel.com> Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com> Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com> Link: http://patchwork.freedesktop.org/patch/msgid/20200225053527.8336-2-tina.zhang@intel.com
diff --git a/drivers/gpu/drm/i915/gvt/dmabuf.c b/drivers/gpu/drm/i915/gvt/dmabuf.c
@@ -151,12 +151,12 @@ static void dmabuf_gem_object_free(struct kref *kref)
 			dmabuf_obj = container_of(pos,
 					struct intel_vgpu_dmabuf_obj, list);
 			if (dmabuf_obj == obj) {
+				list_del(pos);
 				intel_gvt_hypervisor_put_vfio_device(vgpu);
 				idr_remove(&vgpu->object_idr,
 					   dmabuf_obj->dmabuf_id);
 				kfree(dmabuf_obj->info);
 				kfree(dmabuf_obj);
-				list_del(pos);
 				break;
 			}
 		}

Original file line number	Diff line number	Diff line change
`@@ -151,12 +151,12 @@ static void dmabuf_gem_object_free(struct kref *kref)`
`151`	`151`	`dmabuf_obj = container_of(pos,`
`152`	`152`	`struct intel_vgpu_dmabuf_obj, list);`
`153`	`153`	`if (dmabuf_obj == obj) {`
	`154`	`+ list_del(pos);`
`154`	`155`	`intel_gvt_hypervisor_put_vfio_device(vgpu);`
`155`	`156`	`idr_remove(&vgpu->object_idr,`
`156`	`157`	`dmabuf_obj->dmabuf_id);`
`157`	`158`	`kfree(dmabuf_obj->info);`
`158`	`159`	`kfree(dmabuf_obj);`
`159`		`- list_del(pos);`
`160`	`160`	`break;`
`161`	`161`	`}`
`162`	`162`	`}`