On Mon, Feb 20, 2023 at 03:35:54PM +0200, Ovidiu Panait wrote:
> From: Zheng Wang <zyytlz.wz@xxxxxxx>
>
> commit 4a61648af68f5ba4884f0e3b494ee1cabc4b6620 upstream.
>
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt.
> But the caller function ppgtt_populate_spt_by_guest_entry
> does not notice that, it will free spt again in its error
> path.
>
> Fix this by canceling the mapping of DMA address and freeing sub_spt.
> Besides, leave the handle of spt destroy to caller function instead
> of callee function when error occurs.
>
> Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
> Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
> Reviewed-by: Zhenyu Wang <zhenyuw@xxxxxxxxxxxxxxx>
> Signed-off-by: Zhenyu Wang <zhenyuw@xxxxxxxxxxxxxxx>
> Link: http://patchwork.freedesktop.org/patch/msgid/20221229165641.1192455-1-zyytlz.wz@xxxxxxx
> Signed-off-by: Ovidiu Panait <ovidiu.panait@xxxxxxxxxxxxxxxxx>
> ---
> Backport of CVE-2022-3707 fix.
Note, I think this is a bogus CVE, but whatever, you do you...
Now queued up, thanks.
greg k-h
