[PATCH 02/22] drm/i915/buddy: nasty uaf

[Matthew Auld]

Signed-off-by: Matthew Auld <matthew.auld at intel.com>
---
 drivers/gpu/drm/i915/i915_buddy.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_buddy.c b/drivers/gpu/drm/i915/i915_buddy.c
index 6e2ad68f8f3f..9ca81b095adb 100644
--- a/drivers/gpu/drm/i915/i915_buddy.c
+++ b/drivers/gpu/drm/i915/i915_buddy.c
@@ -293,8 +293,10 @@ i915_buddy_alloc(struct i915_buddy_mm *mm, unsigned int order)
 	return block;
 
 out_free:
-	if (i != order)
+	if (i != order) {
+		list_del(&block->link);
 		__i915_buddy_free(mm, block);
+	}
 	return ERR_PTR(err);
 }
 
@@ -401,8 +403,10 @@ int i915_buddy_alloc_range(struct i915_buddy_mm *mm,
 	buddy = get_buddy(block);
 	if (buddy &&
 	    (i915_buddy_block_is_free(block) &&
-	     i915_buddy_block_is_free(buddy)))
+	     i915_buddy_block_is_free(buddy))) {
+		list_del(&block->link);
 		__i915_buddy_free(mm, block);
+	}
 
 err_free:
 	i915_buddy_free_list(mm, &allocated);
-- 
2.31.1