In the function intel_vgpu_reg_rw_edid of kvmgt.c, pos can be equal to NULL for GPUs that do not properly support EDID. In those cases, when pos gets passed to the handle_edid functions, it gets added a short offset then it's dereferenced in memcpy's, leading to NULL pointer dereference kernel oops. More concretely, that kernel oops renders some Broadwell GPUs users unable to set up virtual machines with virtual GPU passthrough (virtual machines hang indefinitely when trying to make use of the virtual GPU), and make them unable to remove the virtual GPUs once the kernel oops has happened (it hangs indefinitely, and notably too when the kernel tries to shutdown). The issues that this causes and steps to reproduce are discussed in more details in this github issue post: https://github.com/intel/gvt-linux/issues/170#issuecomment-685806160 Check if pos is equal to NULL, and if it is, set ret to a negative value, making the module simply indicate that the access to EDID region has failed, without any fatal repercussion. Signed-off-by: Alejandro Sior <aho@xxxxxxx> --- Changes in v2: - removed middle name of author to comply with git name - rephrased the patch description with imperative phrasing - removed useless paragraph - made a paragraph more concise - fixed typos - made individual lines shorter than 75 chars drivers/gpu/drm/i915/gvt/kvmgt.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kvmgt.c index ad8a9df49f29..49163363ba4a 100644 --- a/drivers/gpu/drm/i915/gvt/kvmgt.c +++ b/drivers/gpu/drm/i915/gvt/kvmgt.c @@ -557,7 +557,9 @@ static size_t intel_vgpu_reg_rw_edid(struct intel_vgpu *vgpu, char *buf, (struct vfio_edid_region *)kvmgt_vdev(vgpu)->region[i].data; loff_t pos = *ppos & VFIO_PCI_OFFSET_MASK; - if (pos < region->vfio_edid_regs.edid_offset) { + if (pos == NULL) { + ret = -EINVAL; + } else if (pos < region->vfio_edid_regs.edid_offset) { ret = handle_edid_regs(vgpu, region, buf, count, pos, iswrite); } else { pos -= EDID_BLOB_OFFSET; -- 2.28.0 _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/intel-gfx
