drm/i915: Avoid potential vm use-after-free

author jsg <jsg@openbsd.org>

Fri, 10 Feb 2023 14:37:16 +0000 (14:37 +0000)

committer jsg <jsg@openbsd.org>

Fri, 10 Feb 2023 14:37:16 +0000 (14:37 +0000)
author jsg <jsg@openbsd.org>
Fri, 10 Feb 2023 14:37:16 +0000 (14:37 +0000)
committer jsg <jsg@openbsd.org>
Fri, 10 Feb 2023 14:37:16 +0000 (14:37 +0000)
diff --git a/sys/dev/pci/drm/i915/gem/i915_gem_context.c b/sys/dev/pci/drm/i915/gem/i915_gem_context.c

index 2a49ede..9271130 100644 (file)
--- a/sys/dev/pci/drm/i915/gem/i915_gem_context.c
+++ b/sys/dev/pci/drm/i915/gem/i915_gem_context.c
@@ -1890,11 +1890,19 @@ static int get_ppgtt(struct drm_i915_file_private *file_priv,
         vm = ctx->vm;
         GEM_BUG_ON(!vm);
  
+       /*
+        * Get a reference for the allocated handle.  Once the handle is
+        * visible in the vm_xa table, userspace could try to close it
+        * from under our feet, so we need to hold the extra reference
+        * first.
+        */
+       i915_vm_get(vm);
+
         err = xa_alloc(&file_priv->vm_xa, &id, vm, xa_limit_32b, GFP_KERNEL);
-       if (err)
+       if (err) {
+               i915_vm_put(vm);
                 return err;
-
-       i915_vm_get(vm);
+       }
  
         GEM_BUG_ON(id == 0); /* reserved for invalid/unassigned ppgtt */
         args->value = id;
author	jsg <jsg@openbsd.org>
	Fri, 10 Feb 2023 14:37:16 +0000 (14:37 +0000)
committer	jsg <jsg@openbsd.org>
	Fri, 10 Feb 2023 14:37:16 +0000 (14:37 +0000)