drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime

commit b549c252b1292aea959cd9b83537fcb9384a6112 upstream.

Deleting dmabuf item's list head after releasing its container can lead
to KASAN-reported issue:

  BUG: KASAN: use-after-free in __list_del_entry_valid+0x15/0xf0
  Read of size 8 at addr ffff88818a4598a8 by task kworker/u8:3/13119

So fix this issue by puting deleting dmabuf_objs ahead of releasing its
container.

Fixes: dfb6ae4e14bd6 ("drm/i915/gvt: Handle orphan dmabuf_objs")
Signed-off-by: Tina Zhang <tina.zhang@intel.com>
Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20200225053527.8336-2-tina.zhang@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/gpu/drm/i915/gvt/dmabuf.c b/drivers/gpu/drm/i915/gvt/dmabuf.c
index 4bfaefd..c034795 100644 (file)
--- a/drivers/gpu/drm/i915/gvt/dmabuf.c
+++ b/drivers/gpu/drm/i915/gvt/dmabuf.c
@@ -96,12 +96,12 @@ static void dmabuf_gem_object_free(struct kref *kref)
                        dmabuf_obj = container_of(pos,
                                        struct intel_vgpu_dmabuf_obj, list);
                        if (dmabuf_obj == obj) {
+                               list_del(pos);
                                intel_gvt_hypervisor_put_vfio_device(vgpu);
                                idr_remove(&vgpu->object_idr,
                                           dmabuf_obj->dmabuf_id);
                                kfree(dmabuf_obj->info);
                                kfree(dmabuf_obj);
-                               list_del(pos);
                                break;
                        }
                }