venus: fix a race condition between gem close and gem handle tracking

After using sparse array to manager virtgpu bo, we set gem_handle to 0
to indicate that the bo is invalid. However, the gem handle gets closed
before that and can be reused by another newly created bo, leading to
the tracked gem handle being unexpectedly zero'ed out.

Fixes: 88f481dd74 ("venus: make sure gem_handle and vn_renderer_bo are 1:1")
Signed-off-by: Yiwei Zhang <zzyiwei@chromium.org>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/30362>
(cherry picked from commit f788c87d02)

.pick_status.json

@@ -1284,7 +1284,7 @@
         "description": "venus: fix a race condition between gem close and gem handle tracking",
         "nominated": true,
         "nomination_type": 1,
-        "resolution": 0,
+        "resolution": 1,
         "main_sha": null,
         "because_sha": "88f481dd7422f09ac28de50667fd36ad2ab5f891",
         "notes": null

src/virtio/vulkan/vn_renderer_virtgpu.c

@@ -1109,10 +1109,15 @@ virtgpu_bo_destroy(struct vn_renderer *renderer, struct vn_renderer_bo *_bo)
 
    if (bo->base.mmap_ptr)
       munmap(bo->base.mmap_ptr, bo->base.mmap_size);
-   virtgpu_ioctl_gem_close(gpu, bo->gem_handle);
 
-   /* set gem_handle to 0 to indicate that the bo is invalid */
+   /* Set gem_handle to 0 to indicate that the bo is invalid. Must be set
+    * before closing gem handle. Otherwise the same gem handle can be reused
+    * by another newly created bo and unexpectedly gotten zero'ed out the
+    * tracked gem handle.
+    */
+   const uint32_t gem_handle = bo->gem_handle;
    bo->gem_handle = 0;
+   virtgpu_ioctl_gem_close(gpu, gem_handle);
 
    mtx_unlock(&gpu->dma_buf_import_mutex);