Received: by 2002:a05:6358:bb9e:b0:b9:5105:a5b4 with SMTP id df30csp2881732rwb; Mon, 5 Sep 2022 03:06:45 -0700 (PDT) X-Google-Smtp-Source: AA6agR5KmXf3bkq9xNyRU+YcoALEqf8/g10tIvUOaauV2GG1eURCR7lfSyrOYqAOgEfsW91Su0GE X-Received: by 2002:a17:903:1109:b0:170:a092:c881 with SMTP id n9-20020a170903110900b00170a092c881mr47241007plh.68.1662372405228; Mon, 05 Sep 2022 03:06:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662372405; cv=none; d=google.com; s=arc-20160816; b=HhA096iiZo2v1TzYA+nKsraRkgYhGMYUnwRvbssU6G4W5yUVApoj9gKqJj2O6+IyJ/ Y6wqjuKAeFQ/4yRJWY9nFdvq/zX3FqCA3WFCXCH/z2w0SiPCq2bZ76xjGDZPENbqY2VI QTBt2VOpZ6K1tYyQogC+WrBnEH5VZTCaSkqDV1+QMpIlESpAyWiWbyO8juOl/IqF5pO0 Xo5qZd3kQuBk8/16DCydg+9GcsVsneOIIQPIpM3JARqC6/ydtCJvuVZXlhpSibHAO/XN eDUVn3LcYiqImp8C7GqekYaGZ9UIe69vU4M0kIajmzM0ZCL/6fPOR+RIJBGghx1sgGMA hwYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=/pV2O0LzRWD83l6/jD0rtHLxlqUObMDm7uvvnSIQmGc=; b=X1uWCJlIWWEYuZpyqBiaCJ2ZKAkBHyhf2x5RBq+uFYF1Ybem6BBt3u1he8to0x5RAO 7UR5zTH9EdLvu6FlhlAdLLzP/4o3cPHjH6yYDkiraq2Q+5ONaCOItJAuXbZYMXhMwmf6 wgQL+LLW3NVnEfEJM8ZRPmmFDIfcOXBTZbyT8a5NmruK3b0yS1wPd1dqKHF4E/Ut5MOP oVnJI4/vSE47NznxZhnjfQUxEn996GscEsLNn4n5NR6miPLBFPbRZwxSbvd+zbas01rW 09llbpFtTPQMH44M6UPxExgJlnosEJff9BruMvjiwpBiKgZjy/MrQ61hBJzJ8pIwPdjS II4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=JKD28+KN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e16-20020aa798d0000000b005384ae9f7cesi9462368pfm.92.2022.09.05.03.06.34; Mon, 05 Sep 2022 03:06:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=JKD28+KN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237779AbiIEIxw (ORCPT + 99 others); Mon, 5 Sep 2022 04:53:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49888 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237920AbiIEIxm (ORCPT ); Mon, 5 Sep 2022 04:53:42 -0400 Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9BA0A3E740 for ; Mon, 5 Sep 2022 01:53:41 -0700 (PDT) Received: by mail-yb1-xb2c.google.com with SMTP id 123so11843778ybv.7 for ; Mon, 05 Sep 2022 01:53:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date; bh=/pV2O0LzRWD83l6/jD0rtHLxlqUObMDm7uvvnSIQmGc=; b=JKD28+KNbsLLTDcJUSuELgoPlKu5YIRp5QZSmrEOFawOF6K5/5DChQtAhhxGF8ONCn +QRJ7TgPO7CQOHuoeTcAfrnr2OigYoscUzd3BOTJwSVJdttD3w+6V4pkabYRKuQbiu6Y WW7VVU/LS8FX76Q3i45nCYnAd3FiYxTLpGEwoZ8GPZD4jXg7s/rl7x2tYCkzjRAhtXgF z/CbHtbJYrM8B5PERGv4gQZaJ2lJ9PoTPvPaYwYaDXEBXtg1w6CRbo4XY4+8HGBU4G/N UZ/uyEZSDfPrjimlDN9R8dw4mswE59Y7MnANy1BpyQxR9mEpTTeAOPakRIAOqpWD9jLN 12Xw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=/pV2O0LzRWD83l6/jD0rtHLxlqUObMDm7uvvnSIQmGc=; b=f6B/FXFMbcnQJdY0Ho1zQq1duPRutD4bfm77rd5xRnDWoK7qh+Arpmn7CA0lm9896f x1uPjv9oAi+BZ/KZInTFnCQuP6DmlN148TNRYxECNEoAfTu0cJqZd6c9qjbHuJrjk0U4 gX3v2Zha8SxM+TXbdqC8rMqyXm74tJB6BV/wE8d+9VjrPjGvH0/gEBqNPWyu8G8YxnEp Ogt7qOngc+nKYenlSNvGHS/Mor/e6HkzTnTKcpeAjQmX/R7pf19izrSc0nZsAuM0fFMp hfTuR7txD++uaKCWU78Uj1j4YCado5YcJ3+ofdwshVNzUklHxrpETZc7IbWWxGnY0GTv ePzA== X-Gm-Message-State: ACgBeo36R28m57efOsDLbSATfhVyGydx3U+UbDIV78KvXj9pRFjkABFn 48MW073k+7UDqnYWKmGeAVjqzna4teYCsoPaZYc= X-Received: by 2002:a25:d087:0:b0:6a9:1991:d3fb with SMTP id h129-20020a25d087000000b006a91991d3fbmr3544564ybg.130.1662368020106; Mon, 05 Sep 2022 01:53:40 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Alex Young Date: Mon, 5 Sep 2022 16:53:28 +0800 Message-ID: Subject: Re: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry. To: Greg KH Cc: Zheng Hacker , xmzyshypnc <1002992920@qq.com>, airlied@linux.ie, daniel@ffwll.ch, zhenyuw@linux.intel.com, zhi.a.wang@intel.com, jani.nikula@linux.intel.com, joonas.lahtinen@linux.intel.com, rodrigo.vivi@intel.com, tvrtko.ursulin@linux.intel.com, intel-gvt-dev@lists.freedesktop.org, intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, security@kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Thanks for your reply. We think that when intel_gvt_dma_map_guest_page() fails, ppgtt_invalidate_spt is called to handle this error. If the ppgtt_invalidate_spt is successful to kfree the spt object, then in the ppgtt_populate_spt function there is no need to kfree the spt again. And if the ppgtt_invalidate_spt failed, then in the ppgtt_populate_spt function there is need to kfree the spt for error handling. This is our fix, if it's not right, we are glad to discuss with you. Greg KH =E4=BA=8E2022=E5=B9=B49=E6=9C=885=E6= =97=A5=E5=91=A8=E4=B8=80 16:04=E5=86=99=E9=81=93=EF=BC=9A > > On Mon, Sep 05, 2022 at 03:46:09PM +0800, Zheng Hacker wrote: > > I rewrote the letter. Hope it works. > > > > There is a double-free security bug in split_2MB_gtt_entry. > > > > Here is a calling chain : > > ppgtt_populate_spt->ppgtt_populate_shadow_entry->split_2MB_gtt_entry. > > If intel_gvt_dma_map_guest_page failed, it will call > > ppgtt_invalidate_spt, which will finally call ppgtt_free_spt and > > kfree(spt). But the caller does not notice that, and it will call > > ppgtt_free_spt again in error path. > > > > Fix this by returning the result of ppgtt_invalidate_spt to split_2MB_g= tt_entry. > > > > Signed-off-by: Zheng Wang > > > > --- > > drivers/gpu/drm/i915/gvt/gtt.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/= gtt.c > > index ce0eb03709c3..9f14fded8c0c 100644 > > --- a/drivers/gpu/drm/i915/gvt/gtt.c > > +++ b/drivers/gpu/drm/i915/gvt/gtt.c > > @@ -1215,7 +1215,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu = *vgpu, > > ret =3D intel_gvt_dma_map_guest_page(vgpu, start_gfn + = sub_index, > > PAGE_SIZE, &dma_addr= ); > > if (ret) { > > - ppgtt_invalidate_spt(spt); > > + ret =3D ppgtt_invalidate_spt(spt); > > return ret; > > But now you just lost the original error, shouldn't this succeed even if > intel_gvt_dma_map_guest_page() failed? > > And how are you causing intel_gvt_dma_map_guest_page() to fail in a real > system? > > thanks, > > greg k-h