Received: by 2002:a05:6358:f14:b0:e5:3b68:ec04 with SMTP id b20csp2534883rwj; Mon, 19 Dec 2022 06:00:14 -0800 (PST) X-Google-Smtp-Source: AA0mqf7E5+JNGOTVLolsf0IWNYY4K+x4XhQ4mT2EMM1vEGf2v6O2zBx7vkCGhf1tefIVeE2tH5Ae X-Received: by 2002:a05:6402:550d:b0:461:cdfb:3056 with SMTP id fi13-20020a056402550d00b00461cdfb3056mr35453866edb.20.1671458414550; Mon, 19 Dec 2022 06:00:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671458414; cv=none; d=google.com; s=arc-20160816; b=Yq6CEQUDlXcBECmiBFpBjsBk6HKrxIwyCTrRJLRF1BvPwErt5YFFo/12PM4rjnvfZ5 R51v/U8zgeUYMgEmd9jor71By9A6JMqHul0YADO1vcPBnvThqQSmiDsLmkByzBY2WDm6 gdswqbAJayp+szmInjA9hnVGu3+bVVJuBEZFXrMVZFf8+mt+altKgNbacr3HTsD11oV6 U/uaqgGNgiypOEbFaP0YwCWpoQwi8/VOS79+3duFTOJsB+0Mqqw9riHfQYSFpc1/XfcO Gnkn6gJt2IGlDL69BeR4mk5BK8Rx6+4q7ljcDhH15r5mFI2NKnd4uyDKEEjqew0JrlGU SzxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=I77Z/FCFVVf64G3/7hRxXqdRIyUBCvAL1mnvuDyJtEY=; b=L04/3+U/8gXCUWLa5BbU54ulMQs+XYuu+cBApP9iqDJRNYlbAvgdSw6EI4/Ac0S7ug qV1T+F5gaJYC7uhw6hBzR6Ndup38+kup4gyOU9Y6TMd3xLT5VrzzTb8xcn+iTgHN6Xo/ zkGzyTPMZd8QVxEx9DqOqomZ4L5LUOKJtiYY8TwCAHCzAAPNaEwHDUUvmod9upIKwPFL /71U18zFMr0MMmJ35DAHRKclEtOn/zL9pvkkJVORn3s3+iq4nrqmsye0vwPuoO2CbeDN cNn6v6YidAa7+Y+1qXqpmu9u4aejtT0eB/+D2BUI9jclsQdx+9d4lq1ceisNTX2YdWUB xesg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=bNlu9bed; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s11-20020a056402520b00b00469058297afsi10430571edd.92.2022.12.19.05.59.56; Mon, 19 Dec 2022 06:00:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=bNlu9bed; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231458AbiLSMri (ORCPT + 70 others); Mon, 19 Dec 2022 07:47:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54878 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231167AbiLSMrg (ORCPT ); Mon, 19 Dec 2022 07:47:36 -0500 Received: from m12.mail.163.com (m12.mail.163.com [123.126.96.234]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2D44AE02C for ; Mon, 19 Dec 2022 04:47:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=I77Z/ FCFVVf64G3/7hRxXqdRIyUBCvAL1mnvuDyJtEY=; b=bNlu9bedBAxp5wWLHSkgi eTaSrgsOALU6Q9MLuZF5OOamWYm9xit5C44IX/30XsZlEKR0k9IJ8MIwMLWYBdDg 4/XLWMMGCP8+dYjNrNWu+lop1fHqNrvCBrmexlidN39To/sxE2j7KdXHdi0Dtm+c BvivX7y8TrPtok5Ik93yRU= Received: from leanderwang-LC2.localdomain (unknown [111.206.145.21]) by smtp20 (Coremail) with SMTP id H91pCgAH6QEiXaBj2kKrBw--.42393S2; Mon, 19 Dec 2022 20:46:26 +0800 (CST) From: Zheng Wang To: zhi.a.wang@intel.com Cc: 1002992920@qq.com, airlied@gmail.com, airlied@linux.ie, alex000young@gmail.com, dri-devel@lists.freedesktop.org, gregkh@linuxfoundation.org, hackerzheng666@gmail.com, intel-gfx@lists.freedesktop.org, intel-gvt-dev@lists.freedesktop.org, joonas.lahtinen@linux.intel.com, linux-kernel@vger.kernel.org, security@kernel.org, tvrtko.ursulin@linux.intel.com, zhenyuw@linux.intel.com, zyytlz.wz@163.com Subject: [PATCH v4] [PATCH v4] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry Date: Mon, 19 Dec 2022 20:46:25 +0800 Message-Id: <20221219124625.999055-1-zyytlz.wz@163.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <11728bc1-7b59-1623-b517-d1a0d57eb275@intel.com> References: <11728bc1-7b59-1623-b517-d1a0d57eb275@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: H91pCgAH6QEiXaBj2kKrBw--.42393S2 X-Coremail-Antispam: 1Uf129KBjvJXoWxXry3Ar15CF1kAw1furyUKFg_yoW5uFy3pF 47CF43CF1xJFy29ry7GF10yFyrZ3W5Wa4fWFZ7K3WakrsFy3WDAw42yryfXr9xuFZrG3yS gF47GrWDW34jqa7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zRomh7UUUUU= X-Originating-IP: [111.206.145.21] X-CM-SenderInfo: h2113zf2oz6qqrwthudrp/1tbiXA-cU1Xl5JiO-wACsj X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If intel_gvt_dma_map_guest_page failed, it will call ppgtt_invalidate_spt, which will finally free the spt. But the caller does not notice that, it will free spt again in error path. Fix this by undoing the mapping of DMA address and freeing sub_spt. Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support") Signed-off-by: Zheng Wang --- v4: - fix by undo the mapping of DMA address and free sub_spt suggested by Zhi v3: - correct spelling mistake and remove unused variable suggested by Greg v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/ v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/ --- drivers/gpu/drm/i915/gvt/gtt.c | 58 +++++++++++++++++----------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c index 45271acc5038..b472e021e5a4 100644 --- a/drivers/gpu/drm/i915/gvt/gtt.c +++ b/drivers/gpu/drm/i915/gvt/gtt.c @@ -1209,7 +1209,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu, for_each_shadow_entry(sub_spt, &sub_se, sub_index) { ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index, PAGE_SIZE, &dma_addr); - if (ret) + if (ret) goto err; sub_se.val64 = se->val64; @@ -1233,34 +1233,34 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu, /* Undone the existing mappings of DMA addr. */ for_each_present_shadow_entry(spt, &e, parent_index) { switch (e.type) { - case GTT_TYPE_PPGTT_PTE_4K_ENTRY: - gvt_vdbg_mm("invalidate 4K entry\n"); - ppgtt_invalidate_pte(spt, &e); - break; - case GTT_TYPE_PPGTT_PTE_64K_ENTRY: - /* We don't setup 64K shadow entry so far. */ - WARN(1, "suspicious 64K gtt entry\n"); - continue; - case GTT_TYPE_PPGTT_PTE_2M_ENTRY: - gvt_vdbg_mm("invalidate 2M entry\n"); - continue; - case GTT_TYPE_PPGTT_PTE_1G_ENTRY: - WARN(1, "GVT doesn't support 1GB page\n"); - continue; - case GTT_TYPE_PPGTT_PML4_ENTRY: - case GTT_TYPE_PPGTT_PDP_ENTRY: - case GTT_TYPE_PPGTT_PDE_ENTRY: - gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n"); - ret1 = ppgtt_invalidate_spt_by_shadow_entry( - spt->vgpu, &e); - if (ret1) { - gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n", - spt, e.val64, e.type); - goto free_spt; - } - break; - default: - GEM_BUG_ON(1); + case GTT_TYPE_PPGTT_PTE_4K_ENTRY: + gvt_vdbg_mm("invalidate 4K entry\n"); + ppgtt_invalidate_pte(spt, &e); + break; + case GTT_TYPE_PPGTT_PTE_64K_ENTRY: + /* We don't setup 64K shadow entry so far. */ + WARN(1, "suspicious 64K gtt entry\n"); + continue; + case GTT_TYPE_PPGTT_PTE_2M_ENTRY: + gvt_vdbg_mm("invalidate 2M entry\n"); + continue; + case GTT_TYPE_PPGTT_PTE_1G_ENTRY: + WARN(1, "GVT doesn't support 1GB page\n"); + continue; + case GTT_TYPE_PPGTT_PML4_ENTRY: + case GTT_TYPE_PPGTT_PDP_ENTRY: + case GTT_TYPE_PPGTT_PDE_ENTRY: + gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n"); + ret1 = ppgtt_invalidate_spt_by_shadow_entry( + spt->vgpu, &e); + if (ret1) { + gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n", + spt, e.val64, e.type); + goto free_spt; + } + break; + default: + GEM_BUG_ON(1); } } /* Release the new alloced apt. */ -- 2.25.1