From nobody Wed Sep 17 12:27:43 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F275C4332F for ; Mon, 19 Dec 2022 12:47:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231574AbiLSMrj (ORCPT ); Mon, 19 Dec 2022 07:47:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54878 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231167AbiLSMrg (ORCPT ); Mon, 19 Dec 2022 07:47:36 -0500 Received: from m12.mail.163.com (m12.mail.163.com [123.126.96.234]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2D44AE02C for ; Mon, 19 Dec 2022 04:47:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=I77Z/ FCFVVf64G3/7hRxXqdRIyUBCvAL1mnvuDyJtEY=; b=bNlu9bedBAxp5wWLHSkgi eTaSrgsOALU6Q9MLuZF5OOamWYm9xit5C44IX/30XsZlEKR0k9IJ8MIwMLWYBdDg 4/XLWMMGCP8+dYjNrNWu+lop1fHqNrvCBrmexlidN39To/sxE2j7KdXHdi0Dtm+c BvivX7y8TrPtok5Ik93yRU= Received: from leanderwang-LC2.localdomain (unknown [111.206.145.21]) by smtp20 (Coremail) with SMTP id H91pCgAH6QEiXaBj2kKrBw--.42393S2; Mon, 19 Dec 2022 20:46:26 +0800 (CST) From: Zheng Wang To: zhi.a.wang@intel.com Cc: 1002992920@qq.com, airlied@gmail.com, airlied@linux.ie, alex000young@gmail.com, dri-devel@lists.freedesktop.org, gregkh@linuxfoundation.org, hackerzheng666@gmail.com, intel-gfx@lists.freedesktop.org, intel-gvt-dev@lists.freedesktop.org, joonas.lahtinen@linux.intel.com, linux-kernel@vger.kernel.org, security@kernel.org, tvrtko.ursulin@linux.intel.com, zhenyuw@linux.intel.com, zyytlz.wz@163.com Subject: [PATCH v4] [PATCH v4] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry Date: Mon, 19 Dec 2022 20:46:25 +0800 Message-Id: <20221219124625.999055-1-zyytlz.wz@163.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <11728bc1-7b59-1623-b517-d1a0d57eb275@intel.com> References: <11728bc1-7b59-1623-b517-d1a0d57eb275@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: H91pCgAH6QEiXaBj2kKrBw--.42393S2 X-Coremail-Antispam: 1Uf129KBjvJXoWxXry3Ar15CF1kAw1furyUKFg_yoW5uFy3pF 47CF43CF1xJFy29ry7GF10yFyrZ3W5Wa4fWFZ7K3WakrsFy3WDAw42yryfXr9xuFZrG3yS gF47GrWDW34jqa7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zRomh7UUUUU= X-Originating-IP: [111.206.145.21] X-CM-SenderInfo: h2113zf2oz6qqrwthudrp/1tbiXA-cU1Xl5JiO-wACsj Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" If intel_gvt_dma_map_guest_page failed, it will call ppgtt_invalidate_spt, which will finally free the spt. But the caller does not notice that, it will free spt again in error path. Fix this by undoing the mapping of DMA address and freeing sub_spt. Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support") Signed-off-by: Zheng Wang --- v4: - fix by undo the mapping of DMA address and free sub_spt suggested by Zhi v3: - correct spelling mistake and remove unused variable suggested by Greg v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/ v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/ --- drivers/gpu/drm/i915/gvt/gtt.c | 58 +++++++++++++++++----------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c index 45271acc5038..b472e021e5a4 100644 --- a/drivers/gpu/drm/i915/gvt/gtt.c +++ b/drivers/gpu/drm/i915/gvt/gtt.c @@ -1209,7 +1209,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgp= u, for_each_shadow_entry(sub_spt, &sub_se, sub_index) { ret =3D intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index, PAGE_SIZE, &dma_addr); - if (ret)=20 + if (ret) goto err; sub_se.val64 =3D se->val64; =20 @@ -1233,34 +1233,34 @@ static int split_2MB_gtt_entry(struct intel_vgpu *v= gpu, /* Undone the existing mappings of DMA addr. */ for_each_present_shadow_entry(spt, &e, parent_index) { switch (e.type) { - case GTT_TYPE_PPGTT_PTE_4K_ENTRY: - gvt_vdbg_mm("invalidate 4K entry\n"); - ppgtt_invalidate_pte(spt, &e); - break; - case GTT_TYPE_PPGTT_PTE_64K_ENTRY: - /* We don't setup 64K shadow entry so far. */ - WARN(1, "suspicious 64K gtt entry\n"); - continue; - case GTT_TYPE_PPGTT_PTE_2M_ENTRY: - gvt_vdbg_mm("invalidate 2M entry\n"); - continue; - case GTT_TYPE_PPGTT_PTE_1G_ENTRY: - WARN(1, "GVT doesn't support 1GB page\n"); - continue; - case GTT_TYPE_PPGTT_PML4_ENTRY: - case GTT_TYPE_PPGTT_PDP_ENTRY: - case GTT_TYPE_PPGTT_PDE_ENTRY: - gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n"); - ret1 =3D ppgtt_invalidate_spt_by_shadow_entry( - spt->vgpu, &e); - if (ret1) { - gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n", - spt, e.val64, e.type); - goto free_spt; - } - break; - default: - GEM_BUG_ON(1); + case GTT_TYPE_PPGTT_PTE_4K_ENTRY: + gvt_vdbg_mm("invalidate 4K entry\n"); + ppgtt_invalidate_pte(spt, &e); + break; + case GTT_TYPE_PPGTT_PTE_64K_ENTRY: + /* We don't setup 64K shadow entry so far. */ + WARN(1, "suspicious 64K gtt entry\n"); + continue; + case GTT_TYPE_PPGTT_PTE_2M_ENTRY: + gvt_vdbg_mm("invalidate 2M entry\n"); + continue; + case GTT_TYPE_PPGTT_PTE_1G_ENTRY: + WARN(1, "GVT doesn't support 1GB page\n"); + continue; + case GTT_TYPE_PPGTT_PML4_ENTRY: + case GTT_TYPE_PPGTT_PDP_ENTRY: + case GTT_TYPE_PPGTT_PDE_ENTRY: + gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n"); + ret1 =3D ppgtt_invalidate_spt_by_shadow_entry( + spt->vgpu, &e); + if (ret1) { + gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n", + spt, e.val64, e.type); + goto free_spt; + } + break; + default: + GEM_BUG_ON(1); } } /* Release the new alloced apt. */ --=20 2.25.1