Commit 1a1bee2f authored by Zheng Wang's avatar Zheng Wang Committed by Yongqiang Liu
Browse files

drm/i915/gvt: fix double free bug in split_2MB_gtt_entry 

mainline inclusion
from mainline-v6.2-rc3
commit 4a61648a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5XXFF
CVE: CVE-2022-3707

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4a61648af68f5ba4884f0e3b494ee1cabc4b6620



--------------------------------

If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt.
But the caller function ppgtt_populate_spt_by_guest_entry
does not notice that, it will free spt again in its error
path.

Fix this by canceling the mapping of DMA address and freeing sub_spt.
Besides, leave the handle of spt destroy to caller function instead
of callee function when error occurs.

Fixes: b901b252 ("drm/i915/gvt: Add 2M huge gtt support")
Signed-off-by: default avatarZheng Wang <zyytlz.wz@163.com>
Reviewed-by: default avatarZhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: default avatarZhenyu Wang <zhenyuw@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20221229165641.1192455-1-zyytlz.wz@163.com


conflicts:
  drivers/gpu/drm/i915/gvt/gtt.c
Signed-off-by: default avatarWang ShaoBo <bobo.shaobowang@huawei.com>
Reviewed-by: default avatarXiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: default avatarWei Li <liwei391@huawei.com>
Signed-off-by: default avatarYongqiang Liu <liuyongqiang13@huawei.com>
parent ac59b83e
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment