From b304be3977ee0fa7f81ee65e7b2d0134304fceac Mon Sep 17 00:00:00 2001
From: jsg <jsg@openbsd.org>
Date: Sun, 23 Jan 2022 22:53:03 +0000
Subject: [PATCH] move uao_reference() call before uvm_map()

other uses in the kernel do this as uvm_map() may sleep and the segment
may be deallocated while sleeping without a reference

kettenis notes that shouldn't happen here due to a obj reference from an
earlier i915_gem_object_lookup() call

ok visa@ kettenis@
---
 sys/dev/pci/drm/i915/gem/i915_gem_mman.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sys/dev/pci/drm/i915/gem/i915_gem_mman.c b/sys/dev/pci/drm/i915/gem/i915_gem_mman.c
index dda2f13e406..e9d978d3e5e 100644
--- a/sys/dev/pci/drm/i915/gem/i915_gem_mman.c
+++ b/sys/dev/pci/drm/i915/gem/i915_gem_mman.c
@@ -139,12 +139,13 @@ i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
 	i915_gem_object_put(obj);
 #else
 	addr = 0;
+	uao_reference(obj->base.uao);
 	ret = -uvm_map(&curproc->p_vmspace->vm_map, &addr, size,
 	    obj->base.uao, args->offset, 0, UVM_MAPFLAG(PROT_READ | PROT_WRITE,
 	    PROT_READ | PROT_WRITE, MAP_INHERIT_SHARE, MADV_RANDOM,
 	    (args->flags & I915_MMAP_WC) ? UVM_FLAG_WC : 0));
-	if (ret == 0)
-		uao_reference(obj->base.uao);
+	if (ret != 0)
+		uao_detach(obj->base.uao);
 	i915_gem_object_put(obj);
 	if (ret)
 		return ret;
-- 
2.20.1