Commit 7513edbc authored by Chris Wilson's avatar Chris Wilson Committed by Zhenyu Wang

drm/i915/gvt: Avoid use-after-free iterating the gtt list

Found by smatch:

drivers/gpu/drm/i915/gvt/gtt.c:2452 intel_vgpu_destroy_ggtt_mm() error: dereferencing freed memory 'pos'
Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
Cc: Zhenyu Wang <zhenyuw@linux.intel.com>
Reviewed-by: default avatarZhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: default avatarZhenyu Wang <zhenyuw@linux.intel.com>
parent f3be657d
...@@ -2443,10 +2443,11 @@ static void intel_vgpu_destroy_all_ppgtt_mm(struct intel_vgpu *vgpu) ...@@ -2443,10 +2443,11 @@ static void intel_vgpu_destroy_all_ppgtt_mm(struct intel_vgpu *vgpu)
static void intel_vgpu_destroy_ggtt_mm(struct intel_vgpu *vgpu) static void intel_vgpu_destroy_ggtt_mm(struct intel_vgpu *vgpu)
{ {
struct intel_gvt_partial_pte *pos; struct intel_gvt_partial_pte *pos, *next;
list_for_each_entry(pos, list_for_each_entry_safe(pos, next,
&vgpu->gtt.ggtt_mm->ggtt_mm.partial_pte_list, list) { &vgpu->gtt.ggtt_mm->ggtt_mm.partial_pte_list,
list) {
gvt_dbg_mm("partial PTE update on hold 0x%lx : 0x%llx\n", gvt_dbg_mm("partial PTE update on hold 0x%lx : 0x%llx\n",
pos->offset, pos->data); pos->offset, pos->data);
kfree(pos); kfree(pos);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment