From 80ae5bbbd7fab3978a079000ba042cbaff887361 Mon Sep 17 00:00:00 2001
From: jsg <jsg@openbsd.org>
Date: Fri, 10 Feb 2023 14:37:16 +0000
Subject: [PATCH] drm/i915: Avoid potential vm use-after-free

From Rob Clark
764accc2c1b8fd1507be2e7f436c94cdce887a00 in linux-6.1.y/6.1.11
41d419382ec7e257e54b7b6ff0d3623aafb1316d in mainline linux
---
 sys/dev/pci/drm/i915/gem/i915_gem_context.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/sys/dev/pci/drm/i915/gem/i915_gem_context.c b/sys/dev/pci/drm/i915/gem/i915_gem_context.c
index 2a49ede2eb6..92711306e0b 100644
--- a/sys/dev/pci/drm/i915/gem/i915_gem_context.c
+++ b/sys/dev/pci/drm/i915/gem/i915_gem_context.c
@@ -1890,11 +1890,19 @@ static int get_ppgtt(struct drm_i915_file_private *file_priv,
 	vm = ctx->vm;
 	GEM_BUG_ON(!vm);
 
+	/*
+	 * Get a reference for the allocated handle.  Once the handle is
+	 * visible in the vm_xa table, userspace could try to close it
+	 * from under our feet, so we need to hold the extra reference
+	 * first.
+	 */
+	i915_vm_get(vm);
+
 	err = xa_alloc(&file_priv->vm_xa, &id, vm, xa_limit_32b, GFP_KERNEL);
-	if (err)
+	if (err) {
+		i915_vm_put(vm);
 		return err;
-
-	i915_vm_get(vm);
+	}
 
 	GEM_BUG_ON(id == 0); /* reserved for invalid/unassigned ppgtt */
 	args->value = id;
-- 
2.20.1