drm/i915: Use after free in error path in intel_vgpu_create_workload()

We can't free "workload" until after the printk or it's a use after
free.

Fixes: 2089a76ade90 ("drm/i915/gvt: Checking workload's gma earlier")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>

diff --git a/drivers/gpu/drm/i915/gvt/scheduler.c b/drivers/gpu/drm/i915/gvt/scheduler.c
index 9f3fd7d96a694a6fe890978dd19e3c38160965e4..75baff657e4331f28fc58d938c7a9de7087e0fcc 100644 (file)
--- a/drivers/gpu/drm/i915/gvt/scheduler.c
+++ b/drivers/gpu/drm/i915/gvt/scheduler.c
@@ -1528,9 +1528,9 @@ intel_vgpu_create_workload(struct intel_vgpu *vgpu, int ring_id,
                        if (!intel_gvt_ggtt_validate_range(vgpu,
                                workload->wa_ctx.indirect_ctx.guest_gma,
                                workload->wa_ctx.indirect_ctx.size)) {
-                               kmem_cache_free(s->workloads, workload);
                                gvt_vgpu_err("invalid wa_ctx at: 0x%lx\n",
                                    workload->wa_ctx.indirect_ctx.guest_gma);
+                               kmem_cache_free(s->workloads, workload);
                                return ERR_PTR(-EINVAL);
                        }
                }
@@ -1542,9 +1542,9 @@ intel_vgpu_create_workload(struct intel_vgpu *vgpu, int ring_id,
                        if (!intel_gvt_ggtt_validate_range(vgpu,
                                workload->wa_ctx.per_ctx.guest_gma,
                                CACHELINE_BYTES)) {
-                               kmem_cache_free(s->workloads, workload);
                                gvt_vgpu_err("invalid per_ctx at: 0x%lx\n",
                                        workload->wa_ctx.per_ctx.guest_gma);
+                               kmem_cache_free(s->workloads, workload);
                                return ERR_PTR(-EINVAL);
                        }
                }