From 764030f94c0a6575cbdc7063746eb9a979acd163 Mon Sep 17 00:00:00 2001 From: jsg Date: Fri, 13 Jan 2023 01:34:34 +0000 Subject: [PATCH] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry From Zheng Wang 1022519da69d99d455c58ca181a6c499c562c70e in linux-6.1.y/6.1.5 4a61648af68f5ba4884f0e3b494ee1cabc4b6620 in mainline linux --- sys/dev/pci/drm/i915/gvt/gtt.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/sys/dev/pci/drm/i915/gvt/gtt.c b/sys/dev/pci/drm/i915/gvt/gtt.c index a956b53de35..b49d16e5302 100644 --- a/sys/dev/pci/drm/i915/gvt/gtt.c +++ b/sys/dev/pci/drm/i915/gvt/gtt.c @@ -1214,10 +1214,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu, for_each_shadow_entry(sub_spt, &sub_se, sub_index) { ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index, PAGE_SIZE, &dma_addr); - if (ret) { - ppgtt_invalidate_spt(spt); - return ret; - } + if (ret) + goto err; sub_se.val64 = se->val64; /* Copy the PAT field from PDE. */ @@ -1236,6 +1234,17 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu, ops->set_pfn(se, sub_spt->shadow_page.mfn); ppgtt_set_shadow_entry(spt, se, index); return 0; +err: + /* Cancel the existing addess mappings of DMA addr. */ + for_each_present_shadow_entry(sub_spt, &sub_se, sub_index) { + gvt_vdbg_mm("invalidate 4K entry\n"); + ppgtt_invalidate_pte(sub_spt, &sub_se); + } + /* Release the new allocated spt. */ + trace_spt_change(sub_spt->vgpu->id, "release", sub_spt, + sub_spt->guest_page.gfn, sub_spt->shadow_page.type); + ppgtt_free_spt(sub_spt); + return ret; } static int split_64KB_gtt_entry(struct intel_vgpu *vgpu, -- 2.20.1