From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
To: Zhenyu Wang <zhenyuw@linux.intel.com>,
Zhi Wang <zhi.a.wang@intel.com>,
Jani Nikula <jani.nikula@linux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@intel.com>,
David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>,
Xiong Zhang <xiong.y.zhang@intel.com>
Cc: intel-gfx@lists.freedesktop.org,
intel-gvt-dev@lists.freedesktop.org,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>
Subject: [PATCH] drm/i915/gvt: Fix use-after-free in intel_vgpu_create_workload
Date: Tue, 6 Aug 2019 21:20:33 -0500 [thread overview]
Message-ID: <20190807022033.GA22623@embeddedor> (raw)
kmem_cache_free() frees *workload*, hence there is a use-after-free bug
when calling function gvt_vgpu_err().
Fix this by storing the value of workload->wa_ctx.indirect_ctx.guest_gma
and workload->wa_ctx.per_ctx.guest_gma into automatic variable
guest_gma before freeing *workload*, for its further use.
Addresses-Coverity-ID: 1452235 ("Read from pointer after free")
Fixes: 2089a76ade90 ("drm/i915/gvt: Checking workload's gma earlier")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
drivers/gpu/drm/i915/gvt/scheduler.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/scheduler.c b/drivers/gpu/drm/i915/gvt/scheduler.c
index 32ae6b5b7e16..c8cdb4a309f6 100644
--- a/drivers/gpu/drm/i915/gvt/scheduler.c
+++ b/drivers/gpu/drm/i915/gvt/scheduler.c
@@ -1525,9 +1525,11 @@ intel_vgpu_create_workload(struct intel_vgpu *vgpu, int ring_id,
if (!intel_gvt_ggtt_validate_range(vgpu,
workload->wa_ctx.indirect_ctx.guest_gma,
workload->wa_ctx.indirect_ctx.size)) {
+ unsigned long guest_gma =
+ workload->wa_ctx.indirect_ctx.guest_gma;
kmem_cache_free(s->workloads, workload);
gvt_vgpu_err("invalid wa_ctx at: 0x%lx\n",
- workload->wa_ctx.indirect_ctx.guest_gma);
+ guest_gma);
return ERR_PTR(-EINVAL);
}
}
@@ -1539,9 +1541,11 @@ intel_vgpu_create_workload(struct intel_vgpu *vgpu, int ring_id,
if (!intel_gvt_ggtt_validate_range(vgpu,
workload->wa_ctx.per_ctx.guest_gma,
CACHELINE_BYTES)) {
+ unsigned long guest_gma =
+ workload->wa_ctx.per_ctx.guest_gma;
kmem_cache_free(s->workloads, workload);
gvt_vgpu_err("invalid per_ctx at: 0x%lx\n",
- workload->wa_ctx.per_ctx.guest_gma);
+ guest_gma);
return ERR_PTR(-EINVAL);
}
}
--
2.22.0
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
To: Zhenyu Wang <zhenyuw@linux.intel.com>,
Zhi Wang <zhi.a.wang@intel.com>,
Jani Nikula <jani.nikula@linux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@intel.com>,
David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>,
Xiong Zhang <xiong.y.zhang@intel.com>
Cc: intel-gvt-dev@lists.freedesktop.org,
intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>
Subject: [PATCH] drm/i915/gvt: Fix use-after-free in intel_vgpu_create_workload
Date: Tue, 6 Aug 2019 21:20:33 -0500 [thread overview]
Message-ID: <20190807022033.GA22623@embeddedor> (raw)
kmem_cache_free() frees *workload*, hence there is a use-after-free bug
when calling function gvt_vgpu_err().
Fix this by storing the value of workload->wa_ctx.indirect_ctx.guest_gma
and workload->wa_ctx.per_ctx.guest_gma into automatic variable
guest_gma before freeing *workload*, for its further use.
Addresses-Coverity-ID: 1452235 ("Read from pointer after free")
Fixes: 2089a76ade90 ("drm/i915/gvt: Checking workload's gma earlier")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
drivers/gpu/drm/i915/gvt/scheduler.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/scheduler.c b/drivers/gpu/drm/i915/gvt/scheduler.c
index 32ae6b5b7e16..c8cdb4a309f6 100644
--- a/drivers/gpu/drm/i915/gvt/scheduler.c
+++ b/drivers/gpu/drm/i915/gvt/scheduler.c
@@ -1525,9 +1525,11 @@ intel_vgpu_create_workload(struct intel_vgpu *vgpu, int ring_id,
if (!intel_gvt_ggtt_validate_range(vgpu,
workload->wa_ctx.indirect_ctx.guest_gma,
workload->wa_ctx.indirect_ctx.size)) {
+ unsigned long guest_gma =
+ workload->wa_ctx.indirect_ctx.guest_gma;
kmem_cache_free(s->workloads, workload);
gvt_vgpu_err("invalid wa_ctx at: 0x%lx\n",
- workload->wa_ctx.indirect_ctx.guest_gma);
+ guest_gma);
return ERR_PTR(-EINVAL);
}
}
@@ -1539,9 +1541,11 @@ intel_vgpu_create_workload(struct intel_vgpu *vgpu, int ring_id,
if (!intel_gvt_ggtt_validate_range(vgpu,
workload->wa_ctx.per_ctx.guest_gma,
CACHELINE_BYTES)) {
+ unsigned long guest_gma =
+ workload->wa_ctx.per_ctx.guest_gma;
kmem_cache_free(s->workloads, workload);
gvt_vgpu_err("invalid per_ctx at: 0x%lx\n",
- workload->wa_ctx.per_ctx.guest_gma);
+ guest_gma);
return ERR_PTR(-EINVAL);
}
}
--
2.22.0
next reply other threads:[~2019-08-07 2:20 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-07 2:20 Gustavo A. R. Silva [this message]
2019-08-07 2:20 ` [PATCH] drm/i915/gvt: Fix use-after-free in intel_vgpu_create_workload Gustavo A. R. Silva
2019-08-07 3:52 ` ✓ Fi.CI.BAT: success for " Patchwork
2019-08-07 10:46 ` ✓ Fi.CI.IGT: " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190807022033.GA22623@embeddedor \
--to=gustavo@embeddedor.com \
--cc=airlied@linux.ie \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=intel-gvt-dev@lists.freedesktop.org \
--cc=jani.nikula@linux.intel.com \
--cc=joonas.lahtinen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rodrigo.vivi@intel.com \
--cc=xiong.y.zhang@intel.com \
--cc=zhenyuw@linux.intel.com \
--cc=zhi.a.wang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.