drm/i915/gvt: fix double free bug in split_2MB_gtt_entry

mainline inclusion from mainline-v6.2-rc3 commit 4a61648a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5XXFF CVE: CVE-2022-3707 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4a61648af68f5ba4884f0e3b494ee1cabc4b6620 -------------------------------- If intel_gvt_dma_map_guest_page failed, it will call ppgtt_invalidate_spt, which will finally free the spt. But the caller function ppgtt_populate_spt_by_guest_entry does not notice that, it will free spt again in its error path. Fix this by canceling the mapping of DMA address and freeing sub_spt. Besides, leave the handle of spt destroy to caller function instead of callee function when error occurs. conflicts: drivers/gpu/drm/i915/gvt/gtt.c Fixes: b901b252 ("drm/i915/gvt: Add 2M huge gtt support") Signed-off-by: N Zheng Wang <zyytlz.wz@163.com> Reviewed-by: N Zhenyu Wang <zhenyuw@linux.intel.com> Signed-off-by: N Zhenyu Wang <zhenyuw@linux.intel.com> Link: http://patchwork.freedesktop.org/patch/msgid/20221229165641.1192455-1-zyytlz.wz@163.comSigned-off-by: N Wang ShaoBo <bobo.shaobowang@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com> Signed-off-by: N Jialin Zhang <zhangjialin11@huawei.com>

drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
mainline inclusion from mainline-v6.2-rc3 commit 4a61648a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5XXFF CVE: CVE-2022-3707 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4a61648af68f5ba4884f0e3b494ee1cabc4b6620 -------------------------------- If intel_gvt_dma_map_guest_page failed, it will call ppgtt_invalidate_spt, which will finally free the spt. But the caller function ppgtt_populate_spt_by_guest_entry does not notice that, it will free spt again in its error path. Fix this by canceling the mapping of DMA address and freeing sub_spt. Besides, leave the handle of spt destroy to caller function instead of callee function when error occurs. conflicts: drivers/gpu/drm/i915/gvt/gtt.c Fixes: b901b252 ("drm/i915/gvt: Add 2M huge gtt support") Signed-off-by: N Zheng Wang <zyytlz.wz@163.com> Reviewed-by: N Zhenyu Wang <zhenyuw@linux.intel.com> Signed-off-by: N Zhenyu Wang <zhenyuw@linux.intel.com> Link: http://patchwork.freedesktop.org/patch/msgid/20221229165641.1192455-1-zyytlz.wz@163.comSigned-off-by: N Wang ShaoBo <bobo.shaobowang@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com> Signed-off-by: N Jialin Zhang <zhangjialin11@huawei.com>
17a26a1d · Zheng Wang · Jialin Zhang · 13328365 · 17a26a1d
隐藏空白更改
内联并排

Showing with 13 addition and 4 deletion

drivers/gpu/drm/i915/gvt/gtt.c drivers/gpu/drm/i915/gvt/gtt.c +13 -4

未找到文件。
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -1192,10 +1192,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
 	for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
 		ret = intel_gvt_hypervisor_dma_map_guest_page(vgpu,
 				start_gfn + sub_index, PAGE_SIZE, &dma_addr);
-		if (ret) {
-			ppgtt_invalidate_spt(spt);
-			return ret;
-		}
+		if (ret)
+			goto err;
 		sub_se.val64 = se->val64;

 		/* Copy the PAT field from PDE. */
@@ -1214,6 +1212,17 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
 	ops->set_pfn(se, sub_spt->shadow_page.mfn);
 	ppgtt_set_shadow_entry(spt, se, index);
 	return 0;
+err:
+	/* Cancel the existing addess mappings of DMA addr. */
+	for_each_present_shadow_entry(sub_spt, &sub_se, sub_index) {
+		gvt_vdbg_mm("invalidate 4K entry\n");
+		ppgtt_invalidate_pte(sub_spt, &sub_se);
+	}
+	/* Release the new allocated spt. */
+	trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
+		sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
+	ppgtt_free_spt(sub_spt);
+	return ret;
 }

 static int split_64KB_gtt_entry(struct intel_vgpu *vgpu,