diff options
| author | Jike Song <jike.song@intel.com> | 2016-12-15 21:51:05 -0500 |
|---|---|---|
| committer | Zhenyu Wang <zhenyuw@linux.intel.com> | 2016-12-25 20:45:29 -0500 |
| commit | faaaa53bdc6750c438887d44f99b60ad97ec74b4 (patch) | |
| tree | 5e1a0e43d3b4f64416770d2800fe98adf228e6f8 | |
| parent | bfeca3e5716a16b95a1fb7104e477ca3bd5ed59e (diff) | |
drm/i915/gvt/kvmgt: check returned slot for gfn
gfn_to_memslot() may return NULL if the gfn is mmio
or invalid. A malicious user might input a bad gfn
to panic the host if we don't check it.
Signed-off-by: Jike Song <jike.song@intel.com>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
| -rw-r--r-- | drivers/gpu/drm/i915/gvt/kvmgt.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kvmgt.c index 4ba196796846..8b3b071a535e 100644 --- a/drivers/gpu/drm/i915/gvt/kvmgt.c +++ b/drivers/gpu/drm/i915/gvt/kvmgt.c | |||
| @@ -1137,6 +1137,10 @@ static int kvmgt_write_protect_add(unsigned long handle, u64 gfn) | |||
| 1137 | 1137 | ||
| 1138 | idx = srcu_read_lock(&kvm->srcu); | 1138 | idx = srcu_read_lock(&kvm->srcu); |
| 1139 | slot = gfn_to_memslot(kvm, gfn); | 1139 | slot = gfn_to_memslot(kvm, gfn); |
| 1140 | if (!slot) { | ||
| 1141 | srcu_read_unlock(&kvm->srcu, idx); | ||
| 1142 | return -EINVAL; | ||
| 1143 | } | ||
| 1140 | 1144 | ||
| 1141 | spin_lock(&kvm->mmu_lock); | 1145 | spin_lock(&kvm->mmu_lock); |
| 1142 | 1146 | ||
| @@ -1167,6 +1171,10 @@ static int kvmgt_write_protect_remove(unsigned long handle, u64 gfn) | |||
| 1167 | 1171 | ||
| 1168 | idx = srcu_read_lock(&kvm->srcu); | 1172 | idx = srcu_read_lock(&kvm->srcu); |
| 1169 | slot = gfn_to_memslot(kvm, gfn); | 1173 | slot = gfn_to_memslot(kvm, gfn); |
| 1174 | if (!slot) { | ||
| 1175 | srcu_read_unlock(&kvm->srcu, idx); | ||
| 1176 | return -EINVAL; | ||
| 1177 | } | ||
| 1170 | 1178 | ||
| 1171 | spin_lock(&kvm->mmu_lock); | 1179 | spin_lock(&kvm->mmu_lock); |
| 1172 | 1180 | ||