Re: [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/15/2022 12:47 PM, Joonas Lahtinen wrote:
> (+ Tvrtko as FYI)
>
> Zhenyu, can you take a look at the patch ASAP.
>
> Regards, Joonas

Thanks so much for the reminding and patch.


Actually I don't think it is proper fix as:

split_2MB_gtt_entry() is going to allocate a new spt structure, which is 
a PTE page to hold

the mapping of the 2MB. It will map the sub 4k pages for DMA addrs, form 
them as PTE

entries, write the entries into the new PTE page,  and then link the 
page to the parent

table entry so that the GPU can reach it.


Now something wrong happens when mapping the sub 4K pages. What we need 
are 1) The

existing mappings of DMA addr need to be un-done and 2) the newly 
allocated spt structure

needs to be freed.  These can be handle by ppgtt_invalidate_spt() which 
will handle the 1)

and 2) based on the type of shadow page table, either recursively or 
not. i.e. in this case,

it's a PTE page.


I guess the code wrongly does 1) 2) on the parent page table when 
something error happens in

DMA mapping . You can fix it by releasing the newly allocated spt in the 
error case and put a

Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support") in the 
patch comment.


BTW: For sending the patches, you can take a look on "git send-email". 
It will promise the correct

format and prevent quite some bumps. For email clients, if you feel mutt 
is hard to ramp up,

you can try the Claws Mail. More information can be found in 
Documentation/process/email-clients.rst


Thanks,

Zhi.

>
> Quoting Dave Airlie (2022-10-27 08:12:31)
>> On Thu, 27 Oct 2022 at 13:26, Zheng Hacker <hackerzheng666@xxxxxxxxx> wrote:
>>> Dave Airlie <airlied@xxxxxxxxx> 于2022年10月27日周四 08:01写道:
>>>> On Fri, 7 Oct 2022 at 11:38, Zheng Wang <zyytlz.wz@xxxxxxx> wrote:
>>>>> If intel_gvt_dma_map_guest_page failed, it will call
>>>>> ppgtt_invalidate_spt, which will finally free the spt.
>>>>> But the caller does not notice that, it will free spt again in error path.
>>>>>
>>>>> Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
>>>>> Only free spt when in good case.
>>>>>
>>>>> Reported-by: Zheng Wang <hackerzheng666@xxxxxxxxx>
>>>>> Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
>>>> Has this landed in a tree yet, since it's a possible CVE, might be
>>>> good to merge it somewhere.
>>>>
>>>> Dave.
>>>>
>>> Hi Dave,
>>>
>>> This patched hasn't been merged yet. Could you please help with this?
>> I'll add some more people who can probably look at it.
>>
>> Dave.
[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux