lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 7 Oct 2022 08:39:41 +0800
From:   Zheng Hacker <hackerzheng666@...il.com>
To:     Greg KH <gregkh@...uxfoundation.org>
Cc:     Zheng Wang <zyytlz.wz@....com>, 1002992920@...com,
        airlied@...ux.ie, alex000young@...il.com,
        dri-devel@...ts.freedesktop.org, intel-gfx@...ts.freedesktop.org,
        jani.nikula@...ux.intel.com, linux-kernel@...r.kernel.org,
        security@...nel.org, tvrtko.ursulin@...ux.intel.com
Subject: Re: [PATCH v2] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry

Greg KH <gregkh@...uxfoundation.org> 于2022年10月7日周五 03:22写道:
>
> On Fri, Oct 07, 2022 at 12:58:45AM +0800, Zheng Wang wrote:
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally free the spt.
> > But the caller does not notice that, it will free spt again in error path.
> >
> > Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> > Only free spt when in good case.
> >
> > Reported-by: Zheng Wang <hackerzheng666@...il.com>
> > Signed-off-by: Zheng Wang <zyytlz.wz@....com>
> > ---
> > v2:
> > - split initial function into two api function suggested by Greg
> >
> > v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
> > ---
> >  drivers/gpu/drm/i915/gvt/gtt.c | 31 +++++++++++++++++++++----------
> >  1 file changed, 21 insertions(+), 10 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> > index ce0eb03709c3..55d8e1419302 100644
> > --- a/drivers/gpu/drm/i915/gvt/gtt.c
> > +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> > @@ -959,6 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
> >       return atomic_dec_return(&spt->refcount);
> >  }
> >
> > +static int  ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt);
>
> Odd extra space after the 'int', why?
>

Hi Greg,

Sorry it's a spelling mistake. I'll correct it right away :)

Thanks,
Zheng Wang

Powered by blists - more mailing lists