drm/i915/gvt/kvmgt: check returned slot for gfn (faaaa53b) · Commits · 戴 / test

gfn_to_memslot() may return NULL if the gfn is mmio or invalid. A malicious user might input a bad gfn to panic the host if we don't check it. Signed-off-by:

Jike Song <jike.song@intel.com> Signed-off-by:

Zhenyu Wang <zhenyuw@linux.intel.com>

drivers/gpu/drm/i915/gvt/kvmgt.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -1137,6 +1137,10 @@ static int kvmgt_write_protect_add(unsigned long handle, u64 gfn)

		idx = srcu_read_lock(&kvm->srcu);
		slot = gfn_to_memslot(kvm, gfn);
		if (!slot) {
		srcu_read_unlock(&kvm->srcu, idx);
		return -EINVAL;
		}

		spin_lock(&kvm->mmu_lock);

		@@ -1167,6 +1171,10 @@ static int kvmgt_write_protect_remove(unsigned long handle, u64 gfn)

		idx = srcu_read_lock(&kvm->srcu);
		slot = gfn_to_memslot(kvm, gfn);
		if (!slot) {
		srcu_read_unlock(&kvm->srcu, idx);
		return -EINVAL;
		}

		spin_lock(&kvm->mmu_lock);

Admin message