[Intel-gfx] [PATCH] drm/i915/buddy: fixup potential uaf

[Matthew Auld]

If we are unlucky and can't allocate enough memory when splitting
blocks, where we temporarily end up with the given block and its buddy
on the respective free list, then we need to ensure we delete both
blocks, and no just the buddy, before potentially freeing them.

Fixes: 14d1b9a6247c ("drm/i915: buddy allocator")
Signed-off-by: Matthew Auld <matthew.auld at intel.com>
Cc: Arunpravin <Arunpravin.PaneerSelvam at amd.com>
Cc: Christian König <christian.koenig at amd.com>
---
 drivers/gpu/drm/i915/i915_buddy.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_buddy.c b/drivers/gpu/drm/i915/i915_buddy.c
index 6e2ad68f8f3f..9ca81b095adb 100644
--- a/drivers/gpu/drm/i915/i915_buddy.c
+++ b/drivers/gpu/drm/i915/i915_buddy.c
@@ -293,8 +293,10 @@ i915_buddy_alloc(struct i915_buddy_mm *mm, unsigned int order)
 	return block;
 
 out_free:
-	if (i != order)
+	if (i != order) {
+		list_del(&block->link);
 		__i915_buddy_free(mm, block);
+	}
 	return ERR_PTR(err);
 }
 
@@ -401,8 +403,10 @@ int i915_buddy_alloc_range(struct i915_buddy_mm *mm,
 	buddy = get_buddy(block);
 	if (buddy &&
 	    (i915_buddy_block_is_free(block) &&
-	     i915_buddy_block_is_free(buddy)))
+	     i915_buddy_block_is_free(buddy))) {
+		list_del(&block->link);
 		__i915_buddy_free(mm, block);
+	}
 
 err_free:
 	i915_buddy_free_list(mm, &allocated);
-- 
2.31.1