From 6ee942d5f7e3e630d3a2517e75969ce5d07c87d6 Mon Sep 17 00:00:00 2001
From: Tina Zhang <tina.zhang@intel.com>
Date: Fri, 8 Dec 2017 15:17:38 +0800
Subject: [PATCH] drm/i915/gvt: Refine dmabuf_obj cleanup process

In the process of dmabuf_obj cleanup, the dmabuf_obj might be freed during
dmabuf_obj_put leaking intel_gvt_hypervisor_put_vfio_device.

Move intel_gvt_hypervisor_put_vfio_device and all the other dmabuf_obj ops
in front of dmabuf_obj_put and let every dmabuf_obj have a chance to call
intel_gvt_hypervisor_put_vfio_device to fix this leaking issue.

Fixes: e3a0d7976c53 ("drm/i915/gvt: Handle orphan dmabuf_objs")
Signed-off-by: Tina Zhang <tina.zhang@intel.com>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
---
 drivers/gpu/drm/i915/gvt/dmabuf.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/drivers/gpu/drm/i915/gvt/dmabuf.c b/drivers/gpu/drm/i915/gvt/dmabuf.c
index 9c40a67ecdd6..2ab584f97dfb 100644
--- a/drivers/gpu/drm/i915/gvt/dmabuf.c
+++ b/drivers/gpu/drm/i915/gvt/dmabuf.c
@@ -520,19 +520,18 @@ void intel_vgpu_dmabuf_cleanup(struct intel_vgpu *vgpu)
 	list_for_each_safe(pos, n, &vgpu->dmabuf_obj_list_head) {
 		dmabuf_obj = container_of(pos, struct intel_vgpu_dmabuf_obj,
 						list);
+		dmabuf_obj->vgpu = NULL;
+
+		idr_remove(&vgpu->object_idr, dmabuf_obj->dmabuf_id);
+		intel_gvt_hypervisor_put_vfio_device(vgpu);
+		list_del(pos);
+
+		/* dmabuf_obj might be freed in dmabuf_obj_put */
 		if (dmabuf_obj->initref) {
 			dmabuf_obj->initref = false;
 			dmabuf_obj_put(dmabuf_obj);
 		}
 
-		idr_remove(&vgpu->object_idr, dmabuf_obj->dmabuf_id);
-
-		if (dmabuf_obj->vgpu)
-			intel_gvt_hypervisor_put_vfio_device(vgpu);
-
-		list_del(pos);
-		dmabuf_obj->vgpu = NULL;
-
 	}
 	mutex_unlock(&vgpu->dmabuf_lock);
 }
-- 
GitLab