* [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
@ 2022-09-18 19:24 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-09-18 19:24 UTC (permalink / raw)
To: gregkh
Cc: alex000young, security, tvrtko.ursulin, airlied, intel-gfx,
hackerzheng666, dri-devel, linux-kernel
From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
From: xmzyshypnc <1002992920@qq.com>
Date: Fri, 16 Sep 2022 23:48:23 +0800
Subject: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
There is a double-free security bug in split_2MB_gtt_entry.
Here is a calling chain :
ppgtt_populate_spt->ppgtt_populate_shadow_entry->split_2MB_gtt_entry.
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally call ppgtt_free_spt and
kfree(spt). But the caller does not notice that, and it will call
ppgtt_free_spt again in error path.
Fix this by only freeing spt in ppgtt_invalidate_spt in good case.
Signed-off-by: xmzyshypnc <1002992920@qq.com>
---
drivers/gpu/drm/i915/gvt/gtt.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index ce0eb03709c3..550519f0acca 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -959,7 +959,7 @@ static inline int ppgtt_put_spt(struct
intel_vgpu_ppgtt_spt *spt)
return atomic_dec_return(&spt->refcount);
}
-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
+static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
is_error);
static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
struct intel_gvt_gtt_entry *e)
@@ -995,7 +995,7 @@ static int
ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
ops->get_pfn(e));
return -ENXIO;
}
- return ppgtt_invalidate_spt(s);
+ return ppgtt_invalidate_spt(s, 0);
}
static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
@@ -1016,7 +1016,7 @@ static inline void ppgtt_invalidate_pte(struct
intel_vgpu_ppgtt_spt *spt,
intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
}
-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
is_error)
{
struct intel_vgpu *vgpu = spt->vgpu;
struct intel_gvt_gtt_entry e;
@@ -1059,9 +1059,11 @@ static int ppgtt_invalidate_spt(struct
intel_vgpu_ppgtt_spt *spt)
}
}
- trace_spt_change(spt->vgpu->id, "release", spt,
+ if (!is_error) {
+ trace_spt_change(spt->vgpu->id, "release", spt,
spt->guest_page.gfn, spt->shadow_page.type);
- ppgtt_free_spt(spt);
+ ppgtt_free_spt(spt);
+ }
return 0;
fail:
gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
@@ -1215,7 +1217,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu
*vgpu,
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
if (ret) {
- ppgtt_invalidate_spt(spt);
+ ppgtt_invalidate_spt(spt, 1);
return ret;
}
sub_se.val64 = se->val64;
@@ -1393,7 +1395,7 @@ static int ppgtt_handle_guest_entry_removal(struct
intel_vgpu_ppgtt_spt *spt,
ret = -ENXIO;
goto fail;
}
- ret = ppgtt_invalidate_spt(s);
+ ret = ppgtt_invalidate_spt(s, 0);
if (ret)
goto fail;
} else {
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [Intel-gfx] [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
@ 2022-09-18 19:24 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-09-18 19:24 UTC (permalink / raw)
To: gregkh
Cc: alex000young, security, airlied, intel-gfx, hackerzheng666,
dri-devel, linux-kernel
From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
From: xmzyshypnc <1002992920@qq.com>
Date: Fri, 16 Sep 2022 23:48:23 +0800
Subject: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
There is a double-free security bug in split_2MB_gtt_entry.
Here is a calling chain :
ppgtt_populate_spt->ppgtt_populate_shadow_entry->split_2MB_gtt_entry.
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally call ppgtt_free_spt and
kfree(spt). But the caller does not notice that, and it will call
ppgtt_free_spt again in error path.
Fix this by only freeing spt in ppgtt_invalidate_spt in good case.
Signed-off-by: xmzyshypnc <1002992920@qq.com>
---
drivers/gpu/drm/i915/gvt/gtt.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index ce0eb03709c3..550519f0acca 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -959,7 +959,7 @@ static inline int ppgtt_put_spt(struct
intel_vgpu_ppgtt_spt *spt)
return atomic_dec_return(&spt->refcount);
}
-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
+static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
is_error);
static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
struct intel_gvt_gtt_entry *e)
@@ -995,7 +995,7 @@ static int
ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
ops->get_pfn(e));
return -ENXIO;
}
- return ppgtt_invalidate_spt(s);
+ return ppgtt_invalidate_spt(s, 0);
}
static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
@@ -1016,7 +1016,7 @@ static inline void ppgtt_invalidate_pte(struct
intel_vgpu_ppgtt_spt *spt,
intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
}
-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
is_error)
{
struct intel_vgpu *vgpu = spt->vgpu;
struct intel_gvt_gtt_entry e;
@@ -1059,9 +1059,11 @@ static int ppgtt_invalidate_spt(struct
intel_vgpu_ppgtt_spt *spt)
}
}
- trace_spt_change(spt->vgpu->id, "release", spt,
+ if (!is_error) {
+ trace_spt_change(spt->vgpu->id, "release", spt,
spt->guest_page.gfn, spt->shadow_page.type);
- ppgtt_free_spt(spt);
+ ppgtt_free_spt(spt);
+ }
return 0;
fail:
gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
@@ -1215,7 +1217,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu
*vgpu,
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
if (ret) {
- ppgtt_invalidate_spt(spt);
+ ppgtt_invalidate_spt(spt, 1);
return ret;
}
sub_se.val64 = se->val64;
@@ -1393,7 +1395,7 @@ static int ppgtt_handle_guest_entry_removal(struct
intel_vgpu_ppgtt_spt *spt,
ret = -ENXIO;
goto fail;
}
- ret = ppgtt_invalidate_spt(s);
+ ret = ppgtt_invalidate_spt(s, 0);
if (ret)
goto fail;
} else {
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* Re: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
2022-09-18 19:24 ` [Intel-gfx] " Zheng Wang
@ 2022-09-19 9:30 ` Jani Nikula
-1 siblings, 0 replies; 93+ messages in thread
From: Jani Nikula @ 2022-09-19 9:30 UTC (permalink / raw)
To: Zheng Wang, gregkh
Cc: alex000young, security, tvrtko.ursulin, airlied, intel-gfx,
hackerzheng666, dri-devel, linux-kernel
On Mon, 19 Sep 2022, Zheng Wang <1002992920@qq.com> wrote:
> From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
> From: xmzyshypnc <1002992920@qq.com>
> Date: Fri, 16 Sep 2022 23:48:23 +0800
> Subject: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
>
> There is a double-free security bug in split_2MB_gtt_entry.
>
> Here is a calling chain :
> ppgtt_populate_spt->ppgtt_populate_shadow_entry->split_2MB_gtt_entry.
>
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally call ppgtt_free_spt and
> kfree(spt). But the caller does not notice that, and it will call
> ppgtt_free_spt again in error path.
>
> Fix this by only freeing spt in ppgtt_invalidate_spt in good case.
>
> Signed-off-by: xmzyshypnc <1002992920@qq.com>
Please use git send-email. The patch is whitespace broken and line
wrapped, making it unusable.
BR,
Jani.
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 16 +++++++++-------
> 1 file changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index ce0eb03709c3..550519f0acca 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -959,7 +959,7 @@ static inline int ppgtt_put_spt(struct
> intel_vgpu_ppgtt_spt *spt)
> return atomic_dec_return(&spt->refcount);
> }
>
> -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
> +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
> is_error);
>
> static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> struct intel_gvt_gtt_entry *e)
> @@ -995,7 +995,7 @@ static int
> ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> ops->get_pfn(e));
> return -ENXIO;
> }
> - return ppgtt_invalidate_spt(s);
> + return ppgtt_invalidate_spt(s, 0);
> }
>
> static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
> @@ -1016,7 +1016,7 @@ static inline void ppgtt_invalidate_pte(struct
> intel_vgpu_ppgtt_spt *spt,
> intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
> }
>
> -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
> is_error)
> {
> struct intel_vgpu *vgpu = spt->vgpu;
> struct intel_gvt_gtt_entry e;
> @@ -1059,9 +1059,11 @@ static int ppgtt_invalidate_spt(struct
> intel_vgpu_ppgtt_spt *spt)
> }
> }
>
> - trace_spt_change(spt->vgpu->id, "release", spt,
> + if (!is_error) {
> + trace_spt_change(spt->vgpu->id, "release", spt,
> spt->guest_page.gfn, spt->shadow_page.type);
> - ppgtt_free_spt(spt);
> + ppgtt_free_spt(spt);
> + }
> return 0;
> fail:
> gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> @@ -1215,7 +1217,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu
> *vgpu,
> ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
> PAGE_SIZE, &dma_addr);
> if (ret) {
> - ppgtt_invalidate_spt(spt);
> + ppgtt_invalidate_spt(spt, 1);
> return ret;
> }
> sub_se.val64 = se->val64;
> @@ -1393,7 +1395,7 @@ static int ppgtt_handle_guest_entry_removal(struct
> intel_vgpu_ppgtt_spt *spt,
> ret = -ENXIO;
> goto fail;
> }
> - ret = ppgtt_invalidate_spt(s);
> + ret = ppgtt_invalidate_spt(s, 0);
> if (ret)
> goto fail;
> } else {
--
Jani Nikula, Intel Open Source Graphics Center
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
@ 2022-09-19 9:30 ` Jani Nikula
0 siblings, 0 replies; 93+ messages in thread
From: Jani Nikula @ 2022-09-19 9:30 UTC (permalink / raw)
To: Zheng Wang, gregkh
Cc: alex000young, security, airlied, intel-gfx, hackerzheng666,
dri-devel, linux-kernel
On Mon, 19 Sep 2022, Zheng Wang <1002992920@qq.com> wrote:
> From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
> From: xmzyshypnc <1002992920@qq.com>
> Date: Fri, 16 Sep 2022 23:48:23 +0800
> Subject: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
>
> There is a double-free security bug in split_2MB_gtt_entry.
>
> Here is a calling chain :
> ppgtt_populate_spt->ppgtt_populate_shadow_entry->split_2MB_gtt_entry.
>
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally call ppgtt_free_spt and
> kfree(spt). But the caller does not notice that, and it will call
> ppgtt_free_spt again in error path.
>
> Fix this by only freeing spt in ppgtt_invalidate_spt in good case.
>
> Signed-off-by: xmzyshypnc <1002992920@qq.com>
Please use git send-email. The patch is whitespace broken and line
wrapped, making it unusable.
BR,
Jani.
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 16 +++++++++-------
> 1 file changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index ce0eb03709c3..550519f0acca 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -959,7 +959,7 @@ static inline int ppgtt_put_spt(struct
> intel_vgpu_ppgtt_spt *spt)
> return atomic_dec_return(&spt->refcount);
> }
>
> -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
> +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
> is_error);
>
> static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> struct intel_gvt_gtt_entry *e)
> @@ -995,7 +995,7 @@ static int
> ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> ops->get_pfn(e));
> return -ENXIO;
> }
> - return ppgtt_invalidate_spt(s);
> + return ppgtt_invalidate_spt(s, 0);
> }
>
> static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
> @@ -1016,7 +1016,7 @@ static inline void ppgtt_invalidate_pte(struct
> intel_vgpu_ppgtt_spt *spt,
> intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
> }
>
> -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
> is_error)
> {
> struct intel_vgpu *vgpu = spt->vgpu;
> struct intel_gvt_gtt_entry e;
> @@ -1059,9 +1059,11 @@ static int ppgtt_invalidate_spt(struct
> intel_vgpu_ppgtt_spt *spt)
> }
> }
>
> - trace_spt_change(spt->vgpu->id, "release", spt,
> + if (!is_error) {
> + trace_spt_change(spt->vgpu->id, "release", spt,
> spt->guest_page.gfn, spt->shadow_page.type);
> - ppgtt_free_spt(spt);
> + ppgtt_free_spt(spt);
> + }
> return 0;
> fail:
> gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> @@ -1215,7 +1217,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu
> *vgpu,
> ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
> PAGE_SIZE, &dma_addr);
> if (ret) {
> - ppgtt_invalidate_spt(spt);
> + ppgtt_invalidate_spt(spt, 1);
> return ret;
> }
> sub_se.val64 = se->val64;
> @@ -1393,7 +1395,7 @@ static int ppgtt_handle_guest_entry_removal(struct
> intel_vgpu_ppgtt_spt *spt,
> ret = -ENXIO;
> goto fail;
> }
> - ret = ppgtt_invalidate_spt(s);
> + ret = ppgtt_invalidate_spt(s, 0);
> if (ret)
> goto fail;
> } else {
--
Jani Nikula, Intel Open Source Graphics Center
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
2022-09-19 9:30 ` [Intel-gfx] " Jani Nikula
(?)
@ 2022-09-19 9:55 ` Zheng Hacker
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-09-19 9:55 UTC (permalink / raw)
To: Jani Nikula
Cc: tvrtko.ursulin, security, alex000young, airlied, gregkh,
intel-gfx, linux-kernel, dri-devel, Zheng Wang
Got it. I'll try again later.
Best Regards,
Zheng Wang
Jani Nikula <jani.nikula@linux.intel.com> 于2022年9月19日周一 17:30写道:
>
> On Mon, 19 Sep 2022, Zheng Wang <1002992920@qq.com> wrote:
> > From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
> > From: xmzyshypnc <1002992920@qq.com>
> > Date: Fri, 16 Sep 2022 23:48:23 +0800
> > Subject: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
> >
> > There is a double-free security bug in split_2MB_gtt_entry.
> >
> > Here is a calling chain :
> > ppgtt_populate_spt->ppgtt_populate_shadow_entry->split_2MB_gtt_entry.
> >
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally call ppgtt_free_spt and
> > kfree(spt). But the caller does not notice that, and it will call
> > ppgtt_free_spt again in error path.
> >
> > Fix this by only freeing spt in ppgtt_invalidate_spt in good case.
> >
> > Signed-off-by: xmzyshypnc <1002992920@qq.com>
>
> Please use git send-email. The patch is whitespace broken and line
> wrapped, making it unusable.
>
> BR,
> Jani.
>
>
> > ---
> > drivers/gpu/drm/i915/gvt/gtt.c | 16 +++++++++-------
> > 1 file changed, 9 insertions(+), 7 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> > index ce0eb03709c3..550519f0acca 100644
> > --- a/drivers/gpu/drm/i915/gvt/gtt.c
> > +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> > @@ -959,7 +959,7 @@ static inline int ppgtt_put_spt(struct
> > intel_vgpu_ppgtt_spt *spt)
> > return atomic_dec_return(&spt->refcount);
> > }
> >
> > -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
> > +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
> > is_error);
> >
> > static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> > struct intel_gvt_gtt_entry *e)
> > @@ -995,7 +995,7 @@ static int
> > ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> > ops->get_pfn(e));
> > return -ENXIO;
> > }
> > - return ppgtt_invalidate_spt(s);
> > + return ppgtt_invalidate_spt(s, 0);
> > }
> >
> > static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
> > @@ -1016,7 +1016,7 @@ static inline void ppgtt_invalidate_pte(struct
> > intel_vgpu_ppgtt_spt *spt,
> > intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
> > }
> >
> > -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> > +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
> > is_error)
> > {
> > struct intel_vgpu *vgpu = spt->vgpu;
> > struct intel_gvt_gtt_entry e;
> > @@ -1059,9 +1059,11 @@ static int ppgtt_invalidate_spt(struct
> > intel_vgpu_ppgtt_spt *spt)
> > }
> > }
> >
> > - trace_spt_change(spt->vgpu->id, "release", spt,
> > + if (!is_error) {
> > + trace_spt_change(spt->vgpu->id, "release", spt,
> > spt->guest_page.gfn, spt->shadow_page.type);
> > - ppgtt_free_spt(spt);
> > + ppgtt_free_spt(spt);
> > + }
> > return 0;
> > fail:
> > gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> > @@ -1215,7 +1217,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu
> > *vgpu,
> > ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
> > PAGE_SIZE, &dma_addr);
> > if (ret) {
> > - ppgtt_invalidate_spt(spt);
> > + ppgtt_invalidate_spt(spt, 1);
> > return ret;
> > }
> > sub_se.val64 = se->val64;
> > @@ -1393,7 +1395,7 @@ static int ppgtt_handle_guest_entry_removal(struct
> > intel_vgpu_ppgtt_spt *spt,
> > ret = -ENXIO;
> > goto fail;
> > }
> > - ret = ppgtt_invalidate_spt(s);
> > + ret = ppgtt_invalidate_spt(s, 0);
> > if (ret)
> > goto fail;
> > } else {
>
> --
> Jani Nikula, Intel Open Source Graphics Center
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
@ 2022-09-19 9:55 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-09-19 9:55 UTC (permalink / raw)
To: Jani Nikula
Cc: Zheng Wang, gregkh, alex000young, security, tvrtko.ursulin,
airlied, intel-gfx, dri-devel, linux-kernel
Got it. I'll try again later.
Best Regards,
Zheng Wang
Jani Nikula <jani.nikula@linux.intel.com> 于2022年9月19日周一 17:30写道:
>
> On Mon, 19 Sep 2022, Zheng Wang <1002992920@qq.com> wrote:
> > From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
> > From: xmzyshypnc <1002992920@qq.com>
> > Date: Fri, 16 Sep 2022 23:48:23 +0800
> > Subject: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
> >
> > There is a double-free security bug in split_2MB_gtt_entry.
> >
> > Here is a calling chain :
> > ppgtt_populate_spt->ppgtt_populate_shadow_entry->split_2MB_gtt_entry.
> >
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally call ppgtt_free_spt and
> > kfree(spt). But the caller does not notice that, and it will call
> > ppgtt_free_spt again in error path.
> >
> > Fix this by only freeing spt in ppgtt_invalidate_spt in good case.
> >
> > Signed-off-by: xmzyshypnc <1002992920@qq.com>
>
> Please use git send-email. The patch is whitespace broken and line
> wrapped, making it unusable.
>
> BR,
> Jani.
>
>
> > ---
> > drivers/gpu/drm/i915/gvt/gtt.c | 16 +++++++++-------
> > 1 file changed, 9 insertions(+), 7 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> > index ce0eb03709c3..550519f0acca 100644
> > --- a/drivers/gpu/drm/i915/gvt/gtt.c
> > +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> > @@ -959,7 +959,7 @@ static inline int ppgtt_put_spt(struct
> > intel_vgpu_ppgtt_spt *spt)
> > return atomic_dec_return(&spt->refcount);
> > }
> >
> > -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
> > +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
> > is_error);
> >
> > static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> > struct intel_gvt_gtt_entry *e)
> > @@ -995,7 +995,7 @@ static int
> > ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> > ops->get_pfn(e));
> > return -ENXIO;
> > }
> > - return ppgtt_invalidate_spt(s);
> > + return ppgtt_invalidate_spt(s, 0);
> > }
> >
> > static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
> > @@ -1016,7 +1016,7 @@ static inline void ppgtt_invalidate_pte(struct
> > intel_vgpu_ppgtt_spt *spt,
> > intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
> > }
> >
> > -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> > +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
> > is_error)
> > {
> > struct intel_vgpu *vgpu = spt->vgpu;
> > struct intel_gvt_gtt_entry e;
> > @@ -1059,9 +1059,11 @@ static int ppgtt_invalidate_spt(struct
> > intel_vgpu_ppgtt_spt *spt)
> > }
> > }
> >
> > - trace_spt_change(spt->vgpu->id, "release", spt,
> > + if (!is_error) {
> > + trace_spt_change(spt->vgpu->id, "release", spt,
> > spt->guest_page.gfn, spt->shadow_page.type);
> > - ppgtt_free_spt(spt);
> > + ppgtt_free_spt(spt);
> > + }
> > return 0;
> > fail:
> > gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> > @@ -1215,7 +1217,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu
> > *vgpu,
> > ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
> > PAGE_SIZE, &dma_addr);
> > if (ret) {
> > - ppgtt_invalidate_spt(spt);
> > + ppgtt_invalidate_spt(spt, 1);
> > return ret;
> > }
> > sub_se.val64 = se->val64;
> > @@ -1393,7 +1395,7 @@ static int ppgtt_handle_guest_entry_removal(struct
> > intel_vgpu_ppgtt_spt *spt,
> > ret = -ENXIO;
> > goto fail;
> > }
> > - ret = ppgtt_invalidate_spt(s);
> > + ret = ppgtt_invalidate_spt(s, 0);
> > if (ret)
> > goto fail;
> > } else {
>
> --
> Jani Nikula, Intel Open Source Graphics Center
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
@ 2022-09-19 9:55 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-09-19 9:55 UTC (permalink / raw)
To: Jani Nikula
Cc: security, alex000young, airlied, gregkh, intel-gfx, linux-kernel,
dri-devel, Zheng Wang
Got it. I'll try again later.
Best Regards,
Zheng Wang
Jani Nikula <jani.nikula@linux.intel.com> 于2022年9月19日周一 17:30写道:
>
> On Mon, 19 Sep 2022, Zheng Wang <1002992920@qq.com> wrote:
> > From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
> > From: xmzyshypnc <1002992920@qq.com>
> > Date: Fri, 16 Sep 2022 23:48:23 +0800
> > Subject: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
> >
> > There is a double-free security bug in split_2MB_gtt_entry.
> >
> > Here is a calling chain :
> > ppgtt_populate_spt->ppgtt_populate_shadow_entry->split_2MB_gtt_entry.
> >
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally call ppgtt_free_spt and
> > kfree(spt). But the caller does not notice that, and it will call
> > ppgtt_free_spt again in error path.
> >
> > Fix this by only freeing spt in ppgtt_invalidate_spt in good case.
> >
> > Signed-off-by: xmzyshypnc <1002992920@qq.com>
>
> Please use git send-email. The patch is whitespace broken and line
> wrapped, making it unusable.
>
> BR,
> Jani.
>
>
> > ---
> > drivers/gpu/drm/i915/gvt/gtt.c | 16 +++++++++-------
> > 1 file changed, 9 insertions(+), 7 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> > index ce0eb03709c3..550519f0acca 100644
> > --- a/drivers/gpu/drm/i915/gvt/gtt.c
> > +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> > @@ -959,7 +959,7 @@ static inline int ppgtt_put_spt(struct
> > intel_vgpu_ppgtt_spt *spt)
> > return atomic_dec_return(&spt->refcount);
> > }
> >
> > -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
> > +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
> > is_error);
> >
> > static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> > struct intel_gvt_gtt_entry *e)
> > @@ -995,7 +995,7 @@ static int
> > ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> > ops->get_pfn(e));
> > return -ENXIO;
> > }
> > - return ppgtt_invalidate_spt(s);
> > + return ppgtt_invalidate_spt(s, 0);
> > }
> >
> > static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
> > @@ -1016,7 +1016,7 @@ static inline void ppgtt_invalidate_pte(struct
> > intel_vgpu_ppgtt_spt *spt,
> > intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
> > }
> >
> > -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> > +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
> > is_error)
> > {
> > struct intel_vgpu *vgpu = spt->vgpu;
> > struct intel_gvt_gtt_entry e;
> > @@ -1059,9 +1059,11 @@ static int ppgtt_invalidate_spt(struct
> > intel_vgpu_ppgtt_spt *spt)
> > }
> > }
> >
> > - trace_spt_change(spt->vgpu->id, "release", spt,
> > + if (!is_error) {
> > + trace_spt_change(spt->vgpu->id, "release", spt,
> > spt->guest_page.gfn, spt->shadow_page.type);
> > - ppgtt_free_spt(spt);
> > + ppgtt_free_spt(spt);
> > + }
> > return 0;
> > fail:
> > gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> > @@ -1215,7 +1217,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu
> > *vgpu,
> > ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
> > PAGE_SIZE, &dma_addr);
> > if (ret) {
> > - ppgtt_invalidate_spt(spt);
> > + ppgtt_invalidate_spt(spt, 1);
> > return ret;
> > }
> > sub_se.val64 = se->val64;
> > @@ -1393,7 +1395,7 @@ static int ppgtt_handle_guest_entry_removal(struct
> > intel_vgpu_ppgtt_spt *spt,
> > ret = -ENXIO;
> > goto fail;
> > }
> > - ret = ppgtt_invalidate_spt(s);
> > + ret = ppgtt_invalidate_spt(s, 0);
> > if (ret)
> > goto fail;
> > } else {
>
> --
> Jani Nikula, Intel Open Source Graphics Center
^ permalink raw reply [flat|nested] 93+ messages in thread
* [Intel-gfx] ✗ Fi.CI.BUILD: failure for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev2)
2022-09-18 19:24 ` [Intel-gfx] " Zheng Wang
(?)
(?)
@ 2022-09-19 20:17 ` Patchwork
-1 siblings, 0 replies; 93+ messages in thread
From: Patchwork @ 2022-09-19 20:17 UTC (permalink / raw)
To: Zheng Wang; +Cc: intel-gfx
== Series Details ==
Series: drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev2)
URL : https://patchwork.freedesktop.org/series/108732/
State : failure
== Summary ==
Error: patch https://patchwork.freedesktop.org/api/1.0/series/108732/revisions/2/mbox/ not applied
Patch is empty.
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To record the empty patch as an empty commit, run "git am --allow-empty".
To restore the original branch and stop patching, run "git am --abort".
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
2022-09-19 9:30 ` [Intel-gfx] " Jani Nikula
(?)
@ 2022-09-21 9:13 ` Zheng Hacker
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-09-21 9:13 UTC (permalink / raw)
To: Jani Nikula
Cc: tvrtko.ursulin, security, alex000young, airlied, gregkh,
intel-gfx, linux-kernel, dri-devel, Zheng Wang
I've sent it using git send-email with another email account (zyytlz.wz@163.com)
Regards,
Zheng Wang
Jani Nikula <jani.nikula@linux.intel.com> 于2022年9月19日周一 17:30写道:
>
> On Mon, 19 Sep 2022, Zheng Wang <1002992920@qq.com> wrote:
> > From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
> > From: xmzyshypnc <1002992920@qq.com>
> > Date: Fri, 16 Sep 2022 23:48:23 +0800
> > Subject: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
> >
> > There is a double-free security bug in split_2MB_gtt_entry.
> >
> > Here is a calling chain :
> > ppgtt_populate_spt->ppgtt_populate_shadow_entry->split_2MB_gtt_entry.
> >
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally call ppgtt_free_spt and
> > kfree(spt). But the caller does not notice that, and it will call
> > ppgtt_free_spt again in error path.
> >
> > Fix this by only freeing spt in ppgtt_invalidate_spt in good case.
> >
> > Signed-off-by: xmzyshypnc <1002992920@qq.com>
>
> Please use git send-email. The patch is whitespace broken and line
> wrapped, making it unusable.
>
> BR,
> Jani.
>
>
> > ---
> > drivers/gpu/drm/i915/gvt/gtt.c | 16 +++++++++-------
> > 1 file changed, 9 insertions(+), 7 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> > index ce0eb03709c3..550519f0acca 100644
> > --- a/drivers/gpu/drm/i915/gvt/gtt.c
> > +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> > @@ -959,7 +959,7 @@ static inline int ppgtt_put_spt(struct
> > intel_vgpu_ppgtt_spt *spt)
> > return atomic_dec_return(&spt->refcount);
> > }
> >
> > -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
> > +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
> > is_error);
> >
> > static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> > struct intel_gvt_gtt_entry *e)
> > @@ -995,7 +995,7 @@ static int
> > ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> > ops->get_pfn(e));
> > return -ENXIO;
> > }
> > - return ppgtt_invalidate_spt(s);
> > + return ppgtt_invalidate_spt(s, 0);
> > }
> >
> > static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
> > @@ -1016,7 +1016,7 @@ static inline void ppgtt_invalidate_pte(struct
> > intel_vgpu_ppgtt_spt *spt,
> > intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
> > }
> >
> > -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> > +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
> > is_error)
> > {
> > struct intel_vgpu *vgpu = spt->vgpu;
> > struct intel_gvt_gtt_entry e;
> > @@ -1059,9 +1059,11 @@ static int ppgtt_invalidate_spt(struct
> > intel_vgpu_ppgtt_spt *spt)
> > }
> > }
> >
> > - trace_spt_change(spt->vgpu->id, "release", spt,
> > + if (!is_error) {
> > + trace_spt_change(spt->vgpu->id, "release", spt,
> > spt->guest_page.gfn, spt->shadow_page.type);
> > - ppgtt_free_spt(spt);
> > + ppgtt_free_spt(spt);
> > + }
> > return 0;
> > fail:
> > gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> > @@ -1215,7 +1217,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu
> > *vgpu,
> > ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
> > PAGE_SIZE, &dma_addr);
> > if (ret) {
> > - ppgtt_invalidate_spt(spt);
> > + ppgtt_invalidate_spt(spt, 1);
> > return ret;
> > }
> > sub_se.val64 = se->val64;
> > @@ -1393,7 +1395,7 @@ static int ppgtt_handle_guest_entry_removal(struct
> > intel_vgpu_ppgtt_spt *spt,
> > ret = -ENXIO;
> > goto fail;
> > }
> > - ret = ppgtt_invalidate_spt(s);
> > + ret = ppgtt_invalidate_spt(s, 0);
> > if (ret)
> > goto fail;
> > } else {
>
> --
> Jani Nikula, Intel Open Source Graphics Center
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
@ 2022-09-21 9:13 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-09-21 9:13 UTC (permalink / raw)
To: Jani Nikula
Cc: Zheng Wang, gregkh, alex000young, security, tvrtko.ursulin,
airlied, intel-gfx, dri-devel, linux-kernel
I've sent it using git send-email with another email account (zyytlz.wz@163.com)
Regards,
Zheng Wang
Jani Nikula <jani.nikula@linux.intel.com> 于2022年9月19日周一 17:30写道:
>
> On Mon, 19 Sep 2022, Zheng Wang <1002992920@qq.com> wrote:
> > From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
> > From: xmzyshypnc <1002992920@qq.com>
> > Date: Fri, 16 Sep 2022 23:48:23 +0800
> > Subject: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
> >
> > There is a double-free security bug in split_2MB_gtt_entry.
> >
> > Here is a calling chain :
> > ppgtt_populate_spt->ppgtt_populate_shadow_entry->split_2MB_gtt_entry.
> >
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally call ppgtt_free_spt and
> > kfree(spt). But the caller does not notice that, and it will call
> > ppgtt_free_spt again in error path.
> >
> > Fix this by only freeing spt in ppgtt_invalidate_spt in good case.
> >
> > Signed-off-by: xmzyshypnc <1002992920@qq.com>
>
> Please use git send-email. The patch is whitespace broken and line
> wrapped, making it unusable.
>
> BR,
> Jani.
>
>
> > ---
> > drivers/gpu/drm/i915/gvt/gtt.c | 16 +++++++++-------
> > 1 file changed, 9 insertions(+), 7 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> > index ce0eb03709c3..550519f0acca 100644
> > --- a/drivers/gpu/drm/i915/gvt/gtt.c
> > +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> > @@ -959,7 +959,7 @@ static inline int ppgtt_put_spt(struct
> > intel_vgpu_ppgtt_spt *spt)
> > return atomic_dec_return(&spt->refcount);
> > }
> >
> > -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
> > +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
> > is_error);
> >
> > static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> > struct intel_gvt_gtt_entry *e)
> > @@ -995,7 +995,7 @@ static int
> > ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> > ops->get_pfn(e));
> > return -ENXIO;
> > }
> > - return ppgtt_invalidate_spt(s);
> > + return ppgtt_invalidate_spt(s, 0);
> > }
> >
> > static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
> > @@ -1016,7 +1016,7 @@ static inline void ppgtt_invalidate_pte(struct
> > intel_vgpu_ppgtt_spt *spt,
> > intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
> > }
> >
> > -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> > +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
> > is_error)
> > {
> > struct intel_vgpu *vgpu = spt->vgpu;
> > struct intel_gvt_gtt_entry e;
> > @@ -1059,9 +1059,11 @@ static int ppgtt_invalidate_spt(struct
> > intel_vgpu_ppgtt_spt *spt)
> > }
> > }
> >
> > - trace_spt_change(spt->vgpu->id, "release", spt,
> > + if (!is_error) {
> > + trace_spt_change(spt->vgpu->id, "release", spt,
> > spt->guest_page.gfn, spt->shadow_page.type);
> > - ppgtt_free_spt(spt);
> > + ppgtt_free_spt(spt);
> > + }
> > return 0;
> > fail:
> > gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> > @@ -1215,7 +1217,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu
> > *vgpu,
> > ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
> > PAGE_SIZE, &dma_addr);
> > if (ret) {
> > - ppgtt_invalidate_spt(spt);
> > + ppgtt_invalidate_spt(spt, 1);
> > return ret;
> > }
> > sub_se.val64 = se->val64;
> > @@ -1393,7 +1395,7 @@ static int ppgtt_handle_guest_entry_removal(struct
> > intel_vgpu_ppgtt_spt *spt,
> > ret = -ENXIO;
> > goto fail;
> > }
> > - ret = ppgtt_invalidate_spt(s);
> > + ret = ppgtt_invalidate_spt(s, 0);
> > if (ret)
> > goto fail;
> > } else {
>
> --
> Jani Nikula, Intel Open Source Graphics Center
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
@ 2022-09-21 9:13 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-09-21 9:13 UTC (permalink / raw)
To: Jani Nikula
Cc: security, alex000young, airlied, gregkh, intel-gfx, linux-kernel,
dri-devel, Zheng Wang
I've sent it using git send-email with another email account (zyytlz.wz@163.com)
Regards,
Zheng Wang
Jani Nikula <jani.nikula@linux.intel.com> 于2022年9月19日周一 17:30写道:
>
> On Mon, 19 Sep 2022, Zheng Wang <1002992920@qq.com> wrote:
> > From afe79848cb74cc8e45ab426d13fa2394c87e0422 Mon Sep 17 00:00:00 2001
> > From: xmzyshypnc <1002992920@qq.com>
> > Date: Fri, 16 Sep 2022 23:48:23 +0800
> > Subject: [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry
> >
> > There is a double-free security bug in split_2MB_gtt_entry.
> >
> > Here is a calling chain :
> > ppgtt_populate_spt->ppgtt_populate_shadow_entry->split_2MB_gtt_entry.
> >
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally call ppgtt_free_spt and
> > kfree(spt). But the caller does not notice that, and it will call
> > ppgtt_free_spt again in error path.
> >
> > Fix this by only freeing spt in ppgtt_invalidate_spt in good case.
> >
> > Signed-off-by: xmzyshypnc <1002992920@qq.com>
>
> Please use git send-email. The patch is whitespace broken and line
> wrapped, making it unusable.
>
> BR,
> Jani.
>
>
> > ---
> > drivers/gpu/drm/i915/gvt/gtt.c | 16 +++++++++-------
> > 1 file changed, 9 insertions(+), 7 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> > index ce0eb03709c3..550519f0acca 100644
> > --- a/drivers/gpu/drm/i915/gvt/gtt.c
> > +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> > @@ -959,7 +959,7 @@ static inline int ppgtt_put_spt(struct
> > intel_vgpu_ppgtt_spt *spt)
> > return atomic_dec_return(&spt->refcount);
> > }
> >
> > -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
> > +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
> > is_error);
> >
> > static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> > struct intel_gvt_gtt_entry *e)
> > @@ -995,7 +995,7 @@ static int
> > ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> > ops->get_pfn(e));
> > return -ENXIO;
> > }
> > - return ppgtt_invalidate_spt(s);
> > + return ppgtt_invalidate_spt(s, 0);
> > }
> >
> > static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
> > @@ -1016,7 +1016,7 @@ static inline void ppgtt_invalidate_pte(struct
> > intel_vgpu_ppgtt_spt *spt,
> > intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
> > }
> >
> > -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> > +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int
> > is_error)
> > {
> > struct intel_vgpu *vgpu = spt->vgpu;
> > struct intel_gvt_gtt_entry e;
> > @@ -1059,9 +1059,11 @@ static int ppgtt_invalidate_spt(struct
> > intel_vgpu_ppgtt_spt *spt)
> > }
> > }
> >
> > - trace_spt_change(spt->vgpu->id, "release", spt,
> > + if (!is_error) {
> > + trace_spt_change(spt->vgpu->id, "release", spt,
> > spt->guest_page.gfn, spt->shadow_page.type);
> > - ppgtt_free_spt(spt);
> > + ppgtt_free_spt(spt);
> > + }
> > return 0;
> > fail:
> > gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> > @@ -1215,7 +1217,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu
> > *vgpu,
> > ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
> > PAGE_SIZE, &dma_addr);
> > if (ret) {
> > - ppgtt_invalidate_spt(spt);
> > + ppgtt_invalidate_spt(spt, 1);
> > return ret;
> > }
> > sub_se.val64 = se->val64;
> > @@ -1393,7 +1395,7 @@ static int ppgtt_handle_guest_entry_removal(struct
> > intel_vgpu_ppgtt_spt *spt,
> > ret = -ENXIO;
> > goto fail;
> > }
> > - ret = ppgtt_invalidate_spt(s);
> > + ret = ppgtt_invalidate_spt(s, 0);
> > if (ret)
> > goto fail;
> > } else {
>
> --
> Jani Nikula, Intel Open Source Graphics Center
^ permalink raw reply [flat|nested] 93+ messages in thread
* [PATCH] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-09-21 9:13 ` Zheng Hacker
(?)
@ 2022-09-28 3:33 ` Zheng Wang
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-09-28 3:33 UTC (permalink / raw)
To: hackerzheng666
Cc: 1002992920, airlied, alex000young, dri-devel, gregkh, intel-gfx,
jani.nikula, linux-kernel, security, tvrtko.ursulin, Zheng Wang
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt.
But the caller does not notice that, it will free spt again in error path.
Fix this by only freeing spt in ppgtt_invalidate_spt in good case.
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
Reported-by: Zheng Wang <hackerzheng666@gmail.com>
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
drivers/gpu/drm/i915/gvt/gtt.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index ce0eb03709c3..550519f0acca 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -959,7 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
return atomic_dec_return(&spt->refcount);
}
-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
+static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int is_error);
static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
struct intel_gvt_gtt_entry *e)
@@ -995,7 +995,7 @@ static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
ops->get_pfn(e));
return -ENXIO;
}
- return ppgtt_invalidate_spt(s);
+ return ppgtt_invalidate_spt(s, 0);
}
static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
@@ -1016,7 +1016,7 @@ static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
}
-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int is_error)
{
struct intel_vgpu *vgpu = spt->vgpu;
struct intel_gvt_gtt_entry e;
@@ -1059,9 +1059,11 @@ static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
}
}
- trace_spt_change(spt->vgpu->id, "release", spt,
+ if (!is_error) {
+ trace_spt_change(spt->vgpu->id, "release", spt,
spt->guest_page.gfn, spt->shadow_page.type);
- ppgtt_free_spt(spt);
+ ppgtt_free_spt(spt);
+ }
return 0;
fail:
gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
@@ -1215,7 +1217,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
if (ret) {
- ppgtt_invalidate_spt(spt);
+ ppgtt_invalidate_spt(spt, 1);
return ret;
}
sub_se.val64 = se->val64;
@@ -1393,7 +1395,7 @@ static int ppgtt_handle_guest_entry_removal(struct intel_vgpu_ppgtt_spt *spt,
ret = -ENXIO;
goto fail;
}
- ret = ppgtt_invalidate_spt(s);
+ ret = ppgtt_invalidate_spt(s, 0);
if (ret)
goto fail;
} else {
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [PATCH] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-09-28 3:33 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-09-28 3:33 UTC (permalink / raw)
To: hackerzheng666
Cc: alex000young, security, tvrtko.ursulin, airlied, gregkh,
intel-gfx, linux-kernel, dri-devel, 1002992920, Zheng Wang
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt.
But the caller does not notice that, it will free spt again in error path.
Fix this by only freeing spt in ppgtt_invalidate_spt in good case.
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
Reported-by: Zheng Wang <hackerzheng666@gmail.com>
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
drivers/gpu/drm/i915/gvt/gtt.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index ce0eb03709c3..550519f0acca 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -959,7 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
return atomic_dec_return(&spt->refcount);
}
-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
+static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int is_error);
static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
struct intel_gvt_gtt_entry *e)
@@ -995,7 +995,7 @@ static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
ops->get_pfn(e));
return -ENXIO;
}
- return ppgtt_invalidate_spt(s);
+ return ppgtt_invalidate_spt(s, 0);
}
static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
@@ -1016,7 +1016,7 @@ static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
}
-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int is_error)
{
struct intel_vgpu *vgpu = spt->vgpu;
struct intel_gvt_gtt_entry e;
@@ -1059,9 +1059,11 @@ static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
}
}
- trace_spt_change(spt->vgpu->id, "release", spt,
+ if (!is_error) {
+ trace_spt_change(spt->vgpu->id, "release", spt,
spt->guest_page.gfn, spt->shadow_page.type);
- ppgtt_free_spt(spt);
+ ppgtt_free_spt(spt);
+ }
return 0;
fail:
gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
@@ -1215,7 +1217,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
if (ret) {
- ppgtt_invalidate_spt(spt);
+ ppgtt_invalidate_spt(spt, 1);
return ret;
}
sub_se.val64 = se->val64;
@@ -1393,7 +1395,7 @@ static int ppgtt_handle_guest_entry_removal(struct intel_vgpu_ppgtt_spt *spt,
ret = -ENXIO;
goto fail;
}
- ret = ppgtt_invalidate_spt(s);
+ ret = ppgtt_invalidate_spt(s, 0);
if (ret)
goto fail;
} else {
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [Intel-gfx] [PATCH] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-09-28 3:33 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-09-28 3:33 UTC (permalink / raw)
To: hackerzheng666
Cc: alex000young, security, airlied, gregkh, intel-gfx, linux-kernel,
dri-devel, 1002992920, Zheng Wang
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt.
But the caller does not notice that, it will free spt again in error path.
Fix this by only freeing spt in ppgtt_invalidate_spt in good case.
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
Reported-by: Zheng Wang <hackerzheng666@gmail.com>
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
drivers/gpu/drm/i915/gvt/gtt.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index ce0eb03709c3..550519f0acca 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -959,7 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
return atomic_dec_return(&spt->refcount);
}
-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
+static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int is_error);
static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
struct intel_gvt_gtt_entry *e)
@@ -995,7 +995,7 @@ static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
ops->get_pfn(e));
return -ENXIO;
}
- return ppgtt_invalidate_spt(s);
+ return ppgtt_invalidate_spt(s, 0);
}
static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
@@ -1016,7 +1016,7 @@ static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
}
-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int is_error)
{
struct intel_vgpu *vgpu = spt->vgpu;
struct intel_gvt_gtt_entry e;
@@ -1059,9 +1059,11 @@ static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
}
}
- trace_spt_change(spt->vgpu->id, "release", spt,
+ if (!is_error) {
+ trace_spt_change(spt->vgpu->id, "release", spt,
spt->guest_page.gfn, spt->shadow_page.type);
- ppgtt_free_spt(spt);
+ ppgtt_free_spt(spt);
+ }
return 0;
fail:
gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
@@ -1215,7 +1217,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
if (ret) {
- ppgtt_invalidate_spt(spt);
+ ppgtt_invalidate_spt(spt, 1);
return ret;
}
sub_se.val64 = se->val64;
@@ -1393,7 +1395,7 @@ static int ppgtt_handle_guest_entry_removal(struct intel_vgpu_ppgtt_spt *spt,
ret = -ENXIO;
goto fail;
}
- ret = ppgtt_invalidate_spt(s);
+ ret = ppgtt_invalidate_spt(s, 0);
if (ret)
goto fail;
} else {
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev3)
2022-09-18 19:24 ` [Intel-gfx] " Zheng Wang
` (2 preceding siblings ...)
(?)
@ 2022-09-29 18:16 ` Patchwork
-1 siblings, 0 replies; 93+ messages in thread
From: Patchwork @ 2022-09-29 18:16 UTC (permalink / raw)
To: Zheng Wang; +Cc: intel-gfx
== Series Details ==
Series: drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev3)
URL : https://patchwork.freedesktop.org/series/108732/
State : warning
== Summary ==
Error: dim checkpatch failed
4b8a44dfb06a drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
-:54: CHECK:PARENTHESIS_ALIGNMENT: Alignment should match open parenthesis
#54: FILE: drivers/gpu/drm/i915/gvt/gtt.c:1064:
+ trace_spt_change(spt->vgpu->id, "release", spt,
spt->guest_page.gfn, spt->shadow_page.type);
total: 0 errors, 0 warnings, 1 checks, 53 lines checked
^ permalink raw reply [flat|nested] 93+ messages in thread
* [Intel-gfx] ✓ Fi.CI.BAT: success for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev3)
2022-09-18 19:24 ` [Intel-gfx] " Zheng Wang
` (3 preceding siblings ...)
(?)
@ 2022-09-29 18:40 ` Patchwork
-1 siblings, 0 replies; 93+ messages in thread
From: Patchwork @ 2022-09-29 18:40 UTC (permalink / raw)
To: Zheng Wang; +Cc: intel-gfx
[-- Attachment #1: Type: text/plain, Size: 4577 bytes --]
== Series Details ==
Series: drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev3)
URL : https://patchwork.freedesktop.org/series/108732/
State : success
== Summary ==
CI Bug Log - changes from CI_DRM_12199 -> Patchwork_108732v3
====================================================
Summary
-------
**SUCCESS**
No regressions found.
External URL: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/index.html
Participating hosts (49 -> 43)
------------------------------
Missing (6): fi-rkl-11600 fi-hsw-4200u fi-icl-u2 fi-ctg-p8600 fi-pnv-d510 fi-bdw-samus
Possible new issues
-------------------
Here are the unknown changes that may have been introduced in Patchwork_108732v3:
### IGT changes ###
#### Suppressed ####
The following results come from untrusted machines, tests, or statuses.
They do not affect the overall result.
* igt@i915_selftest@live@slpc:
- {bat-rpls-2}: [DMESG-FAIL][1] ([i915#6367]) -> [DMESG-FAIL][2]
[1]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/bat-rpls-2/igt@i915_selftest@live@slpc.html
[2]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/bat-rpls-2/igt@i915_selftest@live@slpc.html
- {bat-adln-1}: [PASS][3] -> [DMESG-FAIL][4]
[3]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/bat-adln-1/igt@i915_selftest@live@slpc.html
[4]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/bat-adln-1/igt@i915_selftest@live@slpc.html
Known issues
------------
Here are the changes found in Patchwork_108732v3 that come from known issues:
### IGT changes ###
#### Issues hit ####
* igt@i915_suspend@basic-s3-without-i915:
- fi-bdw-5557u: [PASS][5] -> [INCOMPLETE][6] ([i915#146] / [i915#6712])
[5]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/fi-bdw-5557u/igt@i915_suspend@basic-s3-without-i915.html
[6]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/fi-bdw-5557u/igt@i915_suspend@basic-s3-without-i915.html
* igt@kms_chamelium@common-hpd-after-suspend:
- fi-snb-2600: NOTRUN -> [SKIP][7] ([fdo#109271] / [fdo#111827])
[7]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/fi-snb-2600/igt@kms_chamelium@common-hpd-after-suspend.html
#### Possible fixes ####
* igt@gem_exec_suspend@basic-s0@smem:
- {bat-adlm-1}: [DMESG-WARN][8] ([i915#2867]) -> [PASS][9] +1 similar issue
[8]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/bat-adlm-1/igt@gem_exec_suspend@basic-s0@smem.html
[9]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/bat-adlm-1/igt@gem_exec_suspend@basic-s0@smem.html
* igt@i915_selftest@live@hangcheck:
- fi-snb-2600: [INCOMPLETE][10] ([i915#6992]) -> [PASS][11]
[10]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/fi-snb-2600/igt@i915_selftest@live@hangcheck.html
[11]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/fi-snb-2600/igt@i915_selftest@live@hangcheck.html
{name}: This element is suppressed. This means it is ignored when computing
the status of the difference (SUCCESS, WARNING, or FAILURE).
[fdo#109271]: https://bugs.freedesktop.org/show_bug.cgi?id=109271
[fdo#111827]: https://bugs.freedesktop.org/show_bug.cgi?id=111827
[i915#146]: https://gitlab.freedesktop.org/drm/intel/issues/146
[i915#2867]: https://gitlab.freedesktop.org/drm/intel/issues/2867
[i915#5278]: https://gitlab.freedesktop.org/drm/intel/issues/5278
[i915#5537]: https://gitlab.freedesktop.org/drm/intel/issues/5537
[i915#6367]: https://gitlab.freedesktop.org/drm/intel/issues/6367
[i915#6434]: https://gitlab.freedesktop.org/drm/intel/issues/6434
[i915#6559]: https://gitlab.freedesktop.org/drm/intel/issues/6559
[i915#6712]: https://gitlab.freedesktop.org/drm/intel/issues/6712
[i915#6818]: https://gitlab.freedesktop.org/drm/intel/issues/6818
[i915#6992]: https://gitlab.freedesktop.org/drm/intel/issues/6992
Build changes
-------------
* Linux: CI_DRM_12199 -> Patchwork_108732v3
CI-20190529: 20190529
CI_DRM_12199: 6fa6bc62d3b91e5a70b8e4869436a0b03083abf5 @ git://anongit.freedesktop.org/gfx-ci/linux
IGT_6669: 3d2df081c14c251e0269e3510ddc4e9d26ffe925 @ https://gitlab.freedesktop.org/drm/igt-gpu-tools.git
Patchwork_108732v3: 6fa6bc62d3b91e5a70b8e4869436a0b03083abf5 @ git://anongit.freedesktop.org/gfx-ci/linux
### Linux commits
490039dffc70 drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
== Logs ==
For more details see: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/index.html
[-- Attachment #2: Type: text/html, Size: 4995 bytes --]
^ permalink raw reply [flat|nested] 93+ messages in thread
* [Intel-gfx] ✓ Fi.CI.IGT: success for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev3)
2022-09-18 19:24 ` [Intel-gfx] " Zheng Wang
` (4 preceding siblings ...)
(?)
@ 2022-09-30 18:41 ` Patchwork
-1 siblings, 0 replies; 93+ messages in thread
From: Patchwork @ 2022-09-30 18:41 UTC (permalink / raw)
To: Zheng Wang; +Cc: intel-gfx
[-- Attachment #1: Type: text/plain, Size: 37195 bytes --]
== Series Details ==
Series: drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev3)
URL : https://patchwork.freedesktop.org/series/108732/
State : success
== Summary ==
CI Bug Log - changes from CI_DRM_12199_full -> Patchwork_108732v3_full
====================================================
Summary
-------
**SUCCESS**
No regressions found.
Participating hosts (9 -> 9)
------------------------------
No changes in participating hosts
Known issues
------------
Here are the changes found in Patchwork_108732v3_full that come from known issues:
### CI changes ###
#### Issues hit ####
* boot:
- shard-skl: ([PASS][1], [PASS][2], [PASS][3], [PASS][4], [PASS][5], [PASS][6], [PASS][7], [PASS][8], [PASS][9], [PASS][10], [PASS][11], [PASS][12], [PASS][13], [PASS][14], [PASS][15], [PASS][16], [PASS][17], [PASS][18], [PASS][19], [PASS][20], [PASS][21], [PASS][22], [PASS][23], [PASS][24], [PASS][25]) -> ([PASS][26], [PASS][27], [PASS][28], [PASS][29], [PASS][30], [PASS][31], [PASS][32], [PASS][33], [PASS][34], [PASS][35], [PASS][36], [PASS][37], [PASS][38], [PASS][39], [PASS][40], [PASS][41], [FAIL][42], [PASS][43], [PASS][44], [PASS][45], [PASS][46], [PASS][47], [PASS][48], [PASS][49], [PASS][50]) ([i915#5032])
[1]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl6/boot.html
[2]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl4/boot.html
[3]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl4/boot.html
[4]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl4/boot.html
[5]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl4/boot.html
[6]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl4/boot.html
[7]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl4/boot.html
[8]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl1/boot.html
[9]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl1/boot.html
[10]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl10/boot.html
[11]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl10/boot.html
[12]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl10/boot.html
[13]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl10/boot.html
[14]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl9/boot.html
[15]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl9/boot.html
[16]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl9/boot.html
[17]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl9/boot.html
[18]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl9/boot.html
[19]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl7/boot.html
[20]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl7/boot.html
[21]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl7/boot.html
[22]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl7/boot.html
[23]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl6/boot.html
[24]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl6/boot.html
[25]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-skl6/boot.html
[26]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl10/boot.html
[27]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl10/boot.html
[28]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl10/boot.html
[29]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl10/boot.html
[30]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl10/boot.html
[31]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl1/boot.html
[32]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl1/boot.html
[33]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl1/boot.html
[34]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl1/boot.html
[35]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl4/boot.html
[36]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl4/boot.html
[37]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl4/boot.html
[38]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl4/boot.html
[39]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl6/boot.html
[40]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl6/boot.html
[41]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl6/boot.html
[42]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl6/boot.html
[43]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl7/boot.html
[44]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl7/boot.html
[45]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl7/boot.html
[46]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl7/boot.html
[47]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl9/boot.html
[48]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl9/boot.html
[49]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl9/boot.html
[50]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-skl9/boot.html
#### Possible fixes ####
* boot:
- shard-glk: ([PASS][51], [PASS][52], [PASS][53], [PASS][54], [PASS][55], [PASS][56], [PASS][57], [PASS][58], [PASS][59], [PASS][60], [PASS][61], [PASS][62], [PASS][63], [PASS][64], [PASS][65], [PASS][66], [FAIL][67], [PASS][68], [PASS][69], [FAIL][70], [PASS][71], [PASS][72], [PASS][73], [PASS][74], [PASS][75]) ([i915#4392]) -> ([PASS][76], [PASS][77], [PASS][78], [PASS][79], [PASS][80], [PASS][81], [PASS][82], [PASS][83], [PASS][84], [PASS][85], [PASS][86], [PASS][87], [PASS][88], [PASS][89], [PASS][90], [PASS][91], [PASS][92], [PASS][93], [PASS][94], [PASS][95], [PASS][96], [PASS][97], [PASS][98], [PASS][99], [PASS][100])
[51]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk9/boot.html
[52]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk9/boot.html
[53]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk8/boot.html
[54]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk8/boot.html
[55]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk8/boot.html
[56]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk7/boot.html
[57]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk7/boot.html
[58]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk7/boot.html
[59]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk6/boot.html
[60]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk6/boot.html
[61]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk6/boot.html
[62]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk5/boot.html
[63]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk5/boot.html
[64]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk5/boot.html
[65]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk3/boot.html
[66]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk3/boot.html
[67]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk3/boot.html
[68]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk3/boot.html
[69]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk2/boot.html
[70]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk2/boot.html
[71]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk2/boot.html
[72]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk2/boot.html
[73]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk1/boot.html
[74]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk1/boot.html
[75]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk9/boot.html
[76]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk1/boot.html
[77]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk1/boot.html
[78]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk1/boot.html
[79]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk2/boot.html
[80]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk2/boot.html
[81]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk2/boot.html
[82]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk3/boot.html
[83]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk3/boot.html
[84]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk3/boot.html
[85]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk5/boot.html
[86]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk5/boot.html
[87]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk5/boot.html
[88]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk6/boot.html
[89]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk6/boot.html
[90]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk6/boot.html
[91]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk7/boot.html
[92]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk7/boot.html
[93]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk7/boot.html
[94]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk8/boot.html
[95]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk8/boot.html
[96]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk8/boot.html
[97]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk8/boot.html
[98]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk9/boot.html
[99]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk9/boot.html
[100]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk9/boot.html
### IGT changes ###
#### Issues hit ####
* igt@gem_ctx_sseu@invalid-sseu:
- shard-tglb: NOTRUN -> [SKIP][101] ([i915#280])
[101]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@gem_ctx_sseu@invalid-sseu.html
* igt@gem_exec_balancer@parallel-bb-first:
- shard-iclb: [PASS][102] -> [SKIP][103] ([i915#4525]) +1 similar issue
[102]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-iclb4/igt@gem_exec_balancer@parallel-bb-first.html
[103]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb7/igt@gem_exec_balancer@parallel-bb-first.html
* igt@gem_exec_fair@basic-pace@rcs0:
- shard-iclb: [PASS][104] -> [FAIL][105] ([i915#2842])
[104]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-iclb7/igt@gem_exec_fair@basic-pace@rcs0.html
[105]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb3/igt@gem_exec_fair@basic-pace@rcs0.html
* igt@gem_exec_fair@basic-pace@vcs0:
- shard-glk: [PASS][106] -> [FAIL][107] ([i915#2842]) +1 similar issue
[106]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk6/igt@gem_exec_fair@basic-pace@vcs0.html
[107]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk2/igt@gem_exec_fair@basic-pace@vcs0.html
* igt@gem_exec_params@rsvd2-dirt:
- shard-tglb: NOTRUN -> [SKIP][108] ([fdo#109283])
[108]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@gem_exec_params@rsvd2-dirt.html
* igt@gem_lmem_swapping@random:
- shard-tglb: NOTRUN -> [SKIP][109] ([i915#4613])
[109]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@gem_lmem_swapping@random.html
* igt@gem_lmem_swapping@random-engines:
- shard-glk: NOTRUN -> [SKIP][110] ([fdo#109271] / [i915#4613]) +1 similar issue
[110]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk6/igt@gem_lmem_swapping@random-engines.html
* igt@gem_pxp@fail-invalid-protected-context:
- shard-tglb: NOTRUN -> [SKIP][111] ([i915#4270])
[111]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@gem_pxp@fail-invalid-protected-context.html
* igt@gem_userptr_blits@coherency-unsync:
- shard-tglb: NOTRUN -> [SKIP][112] ([i915#3297])
[112]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@gem_userptr_blits@coherency-unsync.html
* igt@gen9_exec_parse@batch-invalid-length:
- shard-tglb: NOTRUN -> [SKIP][113] ([i915#2527] / [i915#2856])
[113]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@gen9_exec_parse@batch-invalid-length.html
* igt@i915_pm_rc6_residency@rc6-idle@rcs0:
- shard-tglb: NOTRUN -> [WARN][114] ([i915#2681]) +3 similar issues
[114]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@i915_pm_rc6_residency@rc6-idle@rcs0.html
* igt@i915_pm_rps@engine-order:
- shard-apl: [PASS][115] -> [FAIL][116] ([i915#6537])
[115]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-apl8/igt@i915_pm_rps@engine-order.html
[116]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-apl6/igt@i915_pm_rps@engine-order.html
* igt@kms_big_fb@4-tiled-max-hw-stride-64bpp-rotate-180:
- shard-tglb: NOTRUN -> [SKIP][117] ([i915#5286])
[117]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_big_fb@4-tiled-max-hw-stride-64bpp-rotate-180.html
* igt@kms_big_fb@y-tiled-8bpp-rotate-270:
- shard-tglb: NOTRUN -> [SKIP][118] ([fdo#111614]) +1 similar issue
[118]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_big_fb@y-tiled-8bpp-rotate-270.html
* igt@kms_big_fb@yf-tiled-addfb:
- shard-tglb: NOTRUN -> [SKIP][119] ([fdo#111615])
[119]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_big_fb@yf-tiled-addfb.html
* igt@kms_big_joiner@basic:
- shard-tglb: NOTRUN -> [SKIP][120] ([i915#2705])
[120]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_big_joiner@basic.html
* igt@kms_ccs@pipe-a-bad-rotation-90-4_tiled_dg2_mc_ccs:
- shard-tglb: NOTRUN -> [SKIP][121] ([i915#6095])
[121]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_ccs@pipe-a-bad-rotation-90-4_tiled_dg2_mc_ccs.html
* igt@kms_ccs@pipe-a-crc-sprite-planes-basic-y_tiled_gen12_mc_ccs:
- shard-glk: NOTRUN -> [SKIP][122] ([fdo#109271] / [i915#3886]) +3 similar issues
[122]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk6/igt@kms_ccs@pipe-a-crc-sprite-planes-basic-y_tiled_gen12_mc_ccs.html
* igt@kms_ccs@pipe-b-bad-aux-stride-y_tiled_gen12_mc_ccs:
- shard-apl: NOTRUN -> [SKIP][123] ([fdo#109271] / [i915#3886]) +2 similar issues
[123]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-apl7/igt@kms_ccs@pipe-b-bad-aux-stride-y_tiled_gen12_mc_ccs.html
* igt@kms_ccs@pipe-b-crc-primary-basic-yf_tiled_ccs:
- shard-tglb: NOTRUN -> [SKIP][124] ([fdo#111615] / [i915#3689]) +1 similar issue
[124]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_ccs@pipe-b-crc-primary-basic-yf_tiled_ccs.html
* igt@kms_ccs@pipe-b-missing-ccs-buffer-y_tiled_ccs:
- shard-tglb: NOTRUN -> [SKIP][125] ([i915#3689]) +1 similar issue
[125]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_ccs@pipe-b-missing-ccs-buffer-y_tiled_ccs.html
* igt@kms_ccs@pipe-c-bad-pixel-format-4_tiled_dg2_rc_ccs_cc:
- shard-tglb: NOTRUN -> [SKIP][126] ([i915#3689] / [i915#6095])
[126]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_ccs@pipe-c-bad-pixel-format-4_tiled_dg2_rc_ccs_cc.html
* igt@kms_ccs@pipe-c-missing-ccs-buffer-y_tiled_gen12_mc_ccs:
- shard-tglb: NOTRUN -> [SKIP][127] ([i915#3689] / [i915#3886])
[127]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_ccs@pipe-c-missing-ccs-buffer-y_tiled_gen12_mc_ccs.html
* igt@kms_chamelium@dp-hpd-fast:
- shard-tglb: NOTRUN -> [SKIP][128] ([fdo#109284] / [fdo#111827]) +2 similar issues
[128]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_chamelium@dp-hpd-fast.html
* igt@kms_chamelium@dp-hpd-storm-disable:
- shard-glk: NOTRUN -> [SKIP][129] ([fdo#109271] / [fdo#111827]) +3 similar issues
[129]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk6/igt@kms_chamelium@dp-hpd-storm-disable.html
* igt@kms_color_chamelium@ctm-0-75:
- shard-apl: NOTRUN -> [SKIP][130] ([fdo#109271] / [fdo#111827])
[130]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-apl1/igt@kms_color_chamelium@ctm-0-75.html
* igt@kms_content_protection@dp-mst-lic-type-1:
- shard-tglb: NOTRUN -> [SKIP][131] ([i915#3116] / [i915#3299])
[131]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_content_protection@dp-mst-lic-type-1.html
* igt@kms_cursor_legacy@flip-vs-cursor@atomic-transitions-varying-size:
- shard-glk: [PASS][132] -> [FAIL][133] ([i915#2346])
[132]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk3/igt@kms_cursor_legacy@flip-vs-cursor@atomic-transitions-varying-size.html
[133]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk6/igt@kms_cursor_legacy@flip-vs-cursor@atomic-transitions-varying-size.html
* igt@kms_flip@flip-vs-expired-vblank-interruptible@b-dp1:
- shard-apl: [PASS][134] -> [FAIL][135] ([i915#79])
[134]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-apl1/igt@kms_flip@flip-vs-expired-vblank-interruptible@b-dp1.html
[135]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-apl8/igt@kms_flip@flip-vs-expired-vblank-interruptible@b-dp1.html
* igt@kms_flip_scaled_crc@flip-32bpp-4tile-to-64bpp-4tile-downscaling@pipe-a-valid-mode:
- shard-iclb: NOTRUN -> [SKIP][136] ([i915#2587] / [i915#2672]) +2 similar issues
[136]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb4/igt@kms_flip_scaled_crc@flip-32bpp-4tile-to-64bpp-4tile-downscaling@pipe-a-valid-mode.html
* igt@kms_flip_scaled_crc@flip-32bpp-yftile-to-32bpp-yftileccs-downscaling@pipe-a-default-mode:
- shard-iclb: NOTRUN -> [SKIP][137] ([i915#6375])
[137]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb2/igt@kms_flip_scaled_crc@flip-32bpp-yftile-to-32bpp-yftileccs-downscaling@pipe-a-default-mode.html
* igt@kms_flip_scaled_crc@flip-64bpp-4tile-to-32bpp-4tile-upscaling@pipe-a-default-mode:
- shard-iclb: NOTRUN -> [SKIP][138] ([i915#2672]) +5 similar issues
[138]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb3/igt@kms_flip_scaled_crc@flip-64bpp-4tile-to-32bpp-4tile-upscaling@pipe-a-default-mode.html
* igt@kms_flip_scaled_crc@flip-64bpp-4tile-to-32bpp-4tiledg2rcccs-downscaling@pipe-a-valid-mode:
- shard-tglb: NOTRUN -> [SKIP][139] ([i915#2587] / [i915#2672])
[139]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_flip_scaled_crc@flip-64bpp-4tile-to-32bpp-4tiledg2rcccs-downscaling@pipe-a-valid-mode.html
* igt@kms_flip_scaled_crc@flip-64bpp-linear-to-16bpp-linear-downscaling@pipe-a-default-mode:
- shard-iclb: NOTRUN -> [SKIP][140] ([i915#3555])
[140]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb2/igt@kms_flip_scaled_crc@flip-64bpp-linear-to-16bpp-linear-downscaling@pipe-a-default-mode.html
* igt@kms_flip_scaled_crc@flip-64bpp-ytile-to-32bpp-ytilercccs-downscaling@pipe-a-default-mode:
- shard-iclb: NOTRUN -> [SKIP][141] ([i915#2672] / [i915#3555])
[141]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb3/igt@kms_flip_scaled_crc@flip-64bpp-ytile-to-32bpp-ytilercccs-downscaling@pipe-a-default-mode.html
* igt@kms_frontbuffer_tracking@fbc-2p-primscrn-shrfb-pgflip-blt:
- shard-glk: [PASS][142] -> [FAIL][143] ([i915#1888] / [i915#2546])
[142]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk9/igt@kms_frontbuffer_tracking@fbc-2p-primscrn-shrfb-pgflip-blt.html
[143]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk7/igt@kms_frontbuffer_tracking@fbc-2p-primscrn-shrfb-pgflip-blt.html
* igt@kms_frontbuffer_tracking@fbc-2p-scndscrn-shrfb-pgflip-blt:
- shard-tglb: NOTRUN -> [SKIP][144] ([fdo#109280] / [fdo#111825]) +9 similar issues
[144]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_frontbuffer_tracking@fbc-2p-scndscrn-shrfb-pgflip-blt.html
* igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-spr-indfb-onoff:
- shard-iclb: [PASS][145] -> [FAIL][146] ([i915#1888] / [i915#2546])
[145]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-iclb6/igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-spr-indfb-onoff.html
[146]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb2/igt@kms_frontbuffer_tracking@fbcpsr-1p-primscrn-spr-indfb-onoff.html
* igt@kms_frontbuffer_tracking@fbcpsr-2p-scndscrn-spr-indfb-draw-mmap-wc:
- shard-glk: NOTRUN -> [SKIP][147] ([fdo#109271]) +73 similar issues
[147]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk6/igt@kms_frontbuffer_tracking@fbcpsr-2p-scndscrn-spr-indfb-draw-mmap-wc.html
* igt@kms_frontbuffer_tracking@fbcpsr-rgb565-draw-mmap-wc:
- shard-tglb: NOTRUN -> [SKIP][148] ([i915#6497]) +2 similar issues
[148]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_frontbuffer_tracking@fbcpsr-rgb565-draw-mmap-wc.html
* igt@kms_invalid_mode@clock-too-high@edp-1-pipe-d:
- shard-tglb: NOTRUN -> [SKIP][149] ([i915#6403]) +3 similar issues
[149]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_invalid_mode@clock-too-high@edp-1-pipe-d.html
* igt@kms_plane@plane-panning-bottom-right-suspend@pipe-b-planes:
- shard-apl: [PASS][150] -> [DMESG-WARN][151] ([i915#180]) +1 similar issue
[150]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-apl2/igt@kms_plane@plane-panning-bottom-right-suspend@pipe-b-planes.html
[151]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-apl2/igt@kms_plane@plane-panning-bottom-right-suspend@pipe-b-planes.html
* igt@kms_plane_lowres@tiling-yf:
- shard-tglb: NOTRUN -> [SKIP][152] ([fdo#112054] / [i915#5288])
[152]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_plane_lowres@tiling-yf.html
* igt@kms_plane_scaling@plane-scaler-with-clipping-clamping-pixel-formats@pipe-b-edp-1:
- shard-iclb: [PASS][153] -> [SKIP][154] ([i915#5176]) +1 similar issue
[153]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-iclb1/igt@kms_plane_scaling@plane-scaler-with-clipping-clamping-pixel-formats@pipe-b-edp-1.html
[154]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb3/igt@kms_plane_scaling@plane-scaler-with-clipping-clamping-pixel-formats@pipe-b-edp-1.html
* igt@kms_psr2_sf@cursor-plane-update-sf:
- shard-glk: NOTRUN -> [SKIP][155] ([fdo#109271] / [i915#658]) +1 similar issue
[155]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk6/igt@kms_psr2_sf@cursor-plane-update-sf.html
* igt@kms_psr2_sf@overlay-plane-move-continuous-exceed-fully-sf:
- shard-apl: NOTRUN -> [SKIP][156] ([fdo#109271] / [i915#658])
[156]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-apl1/igt@kms_psr2_sf@overlay-plane-move-continuous-exceed-fully-sf.html
* igt@kms_psr2_sf@overlay-plane-move-continuous-sf:
- shard-tglb: NOTRUN -> [SKIP][157] ([i915#2920])
[157]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_psr2_sf@overlay-plane-move-continuous-sf.html
* igt@kms_psr@psr2_cursor_plane_onoff:
- shard-tglb: NOTRUN -> [FAIL][158] ([i915#132] / [i915#3467])
[158]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_psr@psr2_cursor_plane_onoff.html
* igt@kms_psr@psr2_sprite_plane_move:
- shard-iclb: [PASS][159] -> [SKIP][160] ([fdo#109441]) +2 similar issues
[159]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-iclb2/igt@kms_psr@psr2_sprite_plane_move.html
[160]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb8/igt@kms_psr@psr2_sprite_plane_move.html
* igt@kms_setmode@invalid-clone-single-crtc:
- shard-tglb: NOTRUN -> [SKIP][161] ([i915#3555])
[161]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_setmode@invalid-clone-single-crtc.html
* igt@kms_vblank@pipe-d-wait-forked-busy-hang:
- shard-apl: NOTRUN -> [SKIP][162] ([fdo#109271]) +47 similar issues
[162]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-apl7/igt@kms_vblank@pipe-d-wait-forked-busy-hang.html
* igt@kms_writeback@writeback-invalid-parameters:
- shard-tglb: NOTRUN -> [SKIP][163] ([i915#2437])
[163]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@kms_writeback@writeback-invalid-parameters.html
* igt@perf_pmu@event-wait@rcs0:
- shard-tglb: NOTRUN -> [SKIP][164] ([fdo#112283])
[164]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@perf_pmu@event-wait@rcs0.html
* igt@sysfs_clients@sema-50:
- shard-tglb: NOTRUN -> [SKIP][165] ([i915#2994])
[165]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb2/igt@sysfs_clients@sema-50.html
#### Possible fixes ####
* igt@gem_exec_fair@basic-flow@rcs0:
- shard-tglb: [FAIL][166] ([i915#2842]) -> [PASS][167] +1 similar issue
[166]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-tglb8/igt@gem_exec_fair@basic-flow@rcs0.html
[167]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-tglb8/igt@gem_exec_fair@basic-flow@rcs0.html
* igt@gem_exec_fair@basic-none@vcs0:
- shard-glk: [FAIL][168] ([i915#2842]) -> [PASS][169]
[168]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk3/igt@gem_exec_fair@basic-none@vcs0.html
[169]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk7/igt@gem_exec_fair@basic-none@vcs0.html
* igt@i915_pm_dc@dc6-psr:
- shard-iclb: [FAIL][170] ([i915#3989] / [i915#454]) -> [PASS][171]
[170]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-iclb7/igt@i915_pm_dc@dc6-psr.html
[171]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb1/igt@i915_pm_dc@dc6-psr.html
* igt@kms_cursor_legacy@flip-vs-cursor@atomic-transitions:
- shard-glk: [FAIL][172] ([i915#2346]) -> [PASS][173]
[172]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk3/igt@kms_cursor_legacy@flip-vs-cursor@atomic-transitions.html
[173]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk6/igt@kms_cursor_legacy@flip-vs-cursor@atomic-transitions.html
* igt@kms_flip@2x-flip-vs-wf_vblank-interruptible@bc-hdmi-a1-hdmi-a2:
- shard-glk: [FAIL][174] ([i915#2122]) -> [PASS][175]
[174]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk6/igt@kms_flip@2x-flip-vs-wf_vblank-interruptible@bc-hdmi-a1-hdmi-a2.html
[175]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk2/igt@kms_flip@2x-flip-vs-wf_vblank-interruptible@bc-hdmi-a1-hdmi-a2.html
* igt@kms_flip@flip-vs-expired-vblank-interruptible@b-hdmi-a1:
- shard-glk: [FAIL][176] ([i915#79]) -> [PASS][177]
[176]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-glk6/igt@kms_flip@flip-vs-expired-vblank-interruptible@b-hdmi-a1.html
[177]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-glk2/igt@kms_flip@flip-vs-expired-vblank-interruptible@b-hdmi-a1.html
* igt@kms_psr2_su@frontbuffer-xrgb8888:
- shard-iclb: [SKIP][178] ([fdo#109642] / [fdo#111068] / [i915#658]) -> [PASS][179]
[178]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-iclb6/igt@kms_psr2_su@frontbuffer-xrgb8888.html
[179]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb2/igt@kms_psr2_su@frontbuffer-xrgb8888.html
* igt@kms_psr@psr2_sprite_mmap_gtt:
- shard-iclb: [SKIP][180] ([fdo#109441]) -> [PASS][181]
[180]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-iclb6/igt@kms_psr@psr2_sprite_mmap_gtt.html
[181]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb2/igt@kms_psr@psr2_sprite_mmap_gtt.html
* igt@perf_pmu@rc6-suspend:
- shard-apl: [DMESG-WARN][182] ([i915#180]) -> [PASS][183] +1 similar issue
[182]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-apl8/igt@perf_pmu@rc6-suspend.html
[183]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-apl1/igt@perf_pmu@rc6-suspend.html
#### Warnings ####
* igt@gem_exec_balancer@parallel-ordering:
- shard-iclb: [SKIP][184] ([i915#4525]) -> [FAIL][185] ([i915#6117])
[184]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-iclb6/igt@gem_exec_balancer@parallel-ordering.html
[185]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb2/igt@gem_exec_balancer@parallel-ordering.html
* igt@i915_pm_dc@dc3co-vpb-simulation:
- shard-iclb: [SKIP][186] ([i915#658]) -> [SKIP][187] ([i915#588])
[186]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-iclb6/igt@i915_pm_dc@dc3co-vpb-simulation.html
[187]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb2/igt@i915_pm_dc@dc3co-vpb-simulation.html
* igt@kms_psr2_sf@overlay-plane-move-continuous-exceed-sf:
- shard-iclb: [SKIP][188] ([i915#658]) -> [SKIP][189] ([i915#2920])
[188]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-iclb6/igt@kms_psr2_sf@overlay-plane-move-continuous-exceed-sf.html
[189]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb2/igt@kms_psr2_sf@overlay-plane-move-continuous-exceed-sf.html
* igt@kms_psr2_sf@overlay-primary-update-sf-dmg-area:
- shard-iclb: [SKIP][190] ([i915#2920]) -> [SKIP][191] ([fdo#111068] / [i915#658])
[190]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-iclb2/igt@kms_psr2_sf@overlay-primary-update-sf-dmg-area.html
[191]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb1/igt@kms_psr2_sf@overlay-primary-update-sf-dmg-area.html
* igt@kms_psr2_sf@plane-move-sf-dmg-area:
- shard-iclb: [SKIP][192] ([fdo#111068] / [i915#658]) -> [SKIP][193] ([i915#2920]) +1 similar issue
[192]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-iclb6/igt@kms_psr2_sf@plane-move-sf-dmg-area.html
[193]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb2/igt@kms_psr2_sf@plane-move-sf-dmg-area.html
* igt@kms_psr2_su@page_flip-p010:
- shard-iclb: [SKIP][194] ([fdo#109642] / [fdo#111068] / [i915#658]) -> [FAIL][195] ([i915#5939])
[194]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12199/shard-iclb6/igt@kms_psr2_su@page_flip-p010.html
[195]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/shard-iclb2/igt@kms_psr2_su@page_flip-p010.html
{name}: This element is suppressed. This means it is ignored when computing
the status of the difference (SUCCESS, WARNING, or FAILURE).
[fdo#109271]: https://bugs.freedesktop.org/show_bug.cgi?id=109271
[fdo#109280]: https://bugs.freedesktop.org/show_bug.cgi?id=109280
[fdo#109283]: https://bugs.freedesktop.org/show_bug.cgi?id=109283
[fdo#109284]: https://bugs.freedesktop.org/show_bug.cgi?id=109284
[fdo#109441]: https://bugs.freedesktop.org/show_bug.cgi?id=109441
[fdo#109642]: https://bugs.freedesktop.org/show_bug.cgi?id=109642
[fdo#111068]: https://bugs.freedesktop.org/show_bug.cgi?id=111068
[fdo#111614]: https://bugs.freedesktop.org/show_bug.cgi?id=111614
[fdo#111615]: https://bugs.freedesktop.org/show_bug.cgi?id=111615
[fdo#111825]: https://bugs.freedesktop.org/show_bug.cgi?id=111825
[fdo#111827]: https://bugs.freedesktop.org/show_bug.cgi?id=111827
[fdo#112054]: https://bugs.freedesktop.org/show_bug.cgi?id=112054
[fdo#112283]: https://bugs.freedesktop.org/show_bug.cgi?id=112283
[i915#132]: https://gitlab.freedesktop.org/drm/intel/issues/132
[i915#180]: https://gitlab.freedesktop.org/drm/intel/issues/180
[i915#1888]: https://gitlab.freedesktop.org/drm/intel/issues/1888
[i915#2122]: https://gitlab.freedesktop.org/drm/intel/issues/2122
[i915#2346]: https://gitlab.freedesktop.org/drm/intel/issues/2346
[i915#2437]: https://gitlab.freedesktop.org/drm/intel/issues/2437
[i915#2527]: https://gitlab.freedesktop.org/drm/intel/issues/2527
[i915#2546]: https://gitlab.freedesktop.org/drm/intel/issues/2546
[i915#2587]: https://gitlab.freedesktop.org/drm/intel/issues/2587
[i915#2672]: https://gitlab.freedesktop.org/drm/intel/issues/2672
[i915#2681]: https://gitlab.freedesktop.org/drm/intel/issues/2681
[i915#2705]: https://gitlab.freedesktop.org/drm/intel/issues/2705
[i915#280]: https://gitlab.freedesktop.org/drm/intel/issues/280
[i915#2842]: https://gitlab.freedesktop.org/drm/intel/issues/2842
[i915#2856]: https://gitlab.freedesktop.org/drm/intel/issues/2856
[i915#2920]: https://gitlab.freedesktop.org/drm/intel/issues/2920
[i915#2994]: https://gitlab.freedesktop.org/drm/intel/issues/2994
[i915#3116]: https://gitlab.freedesktop.org/drm/intel/issues/3116
[i915#3297]: https://gitlab.freedesktop.org/drm/intel/issues/3297
[i915#3299]: https://gitlab.freedesktop.org/drm/intel/issues/3299
[i915#3467]: https://gitlab.freedesktop.org/drm/intel/issues/3467
[i915#3555]: https://gitlab.freedesktop.org/drm/intel/issues/3555
[i915#3689]: https://gitlab.freedesktop.org/drm/intel/issues/3689
[i915#3886]: https://gitlab.freedesktop.org/drm/intel/issues/3886
[i915#3989]: https://gitlab.freedesktop.org/drm/intel/issues/3989
[i915#4270]: https://gitlab.freedesktop.org/drm/intel/issues/4270
[i915#4392]: https://gitlab.freedesktop.org/drm/intel/issues/4392
[i915#4525]: https://gitlab.freedesktop.org/drm/intel/issues/4525
[i915#454]: https://gitlab.freedesktop.org/drm/intel/issues/454
[i915#4573]: https://gitlab.freedesktop.org/drm/intel/issues/4573
[i915#4613]: https://gitlab.freedesktop.org/drm/intel/issues/4613
[i915#5032]: https://gitlab.freedesktop.org/drm/intel/issues/5032
[i915#5176]: https://gitlab.freedesktop.org/drm/intel/issues/5176
[i915#5286]: https://gitlab.freedesktop.org/drm/intel/issues/5286
[i915#5288]: https://gitlab.freedesktop.org/drm/intel/issues/5288
[i915#588]: https://gitlab.freedesktop.org/drm/intel/issues/588
[i915#5939]: https://gitlab.freedesktop.org/drm/intel/issues/5939
[i915#6095]: https://gitlab.freedesktop.org/drm/intel/issues/6095
[i915#6117]: https://gitlab.freedesktop.org/drm/intel/issues/6117
[i915#6375]: https://gitlab.freedesktop.org/drm/intel/issues/6375
[i915#6403]: https://gitlab.freedesktop.org/drm/intel/issues/6403
[i915#6497]: https://gitlab.freedesktop.org/drm/intel/issues/6497
[i915#6537]: https://gitlab.freedesktop.org/drm/intel/issues/6537
[i915#658]: https://gitlab.freedesktop.org/drm/intel/issues/658
[i915#79]: https://gitlab.freedesktop.org/drm/intel/issues/79
Build changes
-------------
* Linux: CI_DRM_12199 -> Patchwork_108732v3
CI-20190529: 20190529
CI_DRM_12199: 6fa6bc62d3b91e5a70b8e4869436a0b03083abf5 @ git://anongit.freedesktop.org/gfx-ci/linux
IGT_6669: 3d2df081c14c251e0269e3510ddc4e9d26ffe925 @ https://gitlab.freedesktop.org/drm/igt-gpu-tools.git
Patchwork_108732v3: 6fa6bc62d3b91e5a70b8e4869436a0b03083abf5 @ git://anongit.freedesktop.org/gfx-ci/linux
piglit_4509: fdc5a4ca11124ab8413c7988896eec4c97336694 @ git://anongit.freedesktop.org/piglit
== Logs ==
For more details see: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v3/index.html
[-- Attachment #2: Type: text/html, Size: 42870 bytes --]
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-09-28 3:33 ` Zheng Wang
(?)
@ 2022-10-02 14:18 ` Greg KH
-1 siblings, 0 replies; 93+ messages in thread
From: Greg KH @ 2022-10-02 14:18 UTC (permalink / raw)
To: Zheng Wang
Cc: hackerzheng666, 1002992920, airlied, alex000young, dri-devel,
intel-gfx, jani.nikula, linux-kernel, security, tvrtko.ursulin
On Wed, Sep 28, 2022 at 11:33:40AM +0800, Zheng Wang wrote:
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt.
> But the caller does not notice that, it will free spt again in error path.
>
> Fix this by only freeing spt in ppgtt_invalidate_spt in good case.
>
> Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
> Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 16 +++++++++-------
> 1 file changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index ce0eb03709c3..550519f0acca 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -959,7 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
> return atomic_dec_return(&spt->refcount);
> }
>
> -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
> +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int is_error);
That is a horrible way to make an api (and it should be a bool too.)
Now every time you see this call in the code, you have to go look up
what the last parameter means. Just make 2 functions, one that does the
"is error" thing, and one that does not, and that will be much easier to
maintain and understand for the next 10+ years.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-02 14:18 ` Greg KH
0 siblings, 0 replies; 93+ messages in thread
From: Greg KH @ 2022-10-02 14:18 UTC (permalink / raw)
To: Zheng Wang
Cc: alex000young, security, tvrtko.ursulin, airlied, intel-gfx,
hackerzheng666, dri-devel, linux-kernel, 1002992920
On Wed, Sep 28, 2022 at 11:33:40AM +0800, Zheng Wang wrote:
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt.
> But the caller does not notice that, it will free spt again in error path.
>
> Fix this by only freeing spt in ppgtt_invalidate_spt in good case.
>
> Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
> Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 16 +++++++++-------
> 1 file changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index ce0eb03709c3..550519f0acca 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -959,7 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
> return atomic_dec_return(&spt->refcount);
> }
>
> -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
> +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int is_error);
That is a horrible way to make an api (and it should be a bool too.)
Now every time you see this call in the code, you have to go look up
what the last parameter means. Just make 2 functions, one that does the
"is error" thing, and one that does not, and that will be much easier to
maintain and understand for the next 10+ years.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-02 14:18 ` Greg KH
0 siblings, 0 replies; 93+ messages in thread
From: Greg KH @ 2022-10-02 14:18 UTC (permalink / raw)
To: Zheng Wang
Cc: alex000young, security, airlied, intel-gfx, hackerzheng666,
dri-devel, linux-kernel, 1002992920
On Wed, Sep 28, 2022 at 11:33:40AM +0800, Zheng Wang wrote:
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt.
> But the caller does not notice that, it will free spt again in error path.
>
> Fix this by only freeing spt in ppgtt_invalidate_spt in good case.
>
> Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
> Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 16 +++++++++-------
> 1 file changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index ce0eb03709c3..550519f0acca 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -959,7 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
> return atomic_dec_return(&spt->refcount);
> }
>
> -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
> +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt, int is_error);
That is a horrible way to make an api (and it should be a bool too.)
Now every time you see this call in the code, you have to go look up
what the last parameter means. Just make 2 functions, one that does the
"is error" thing, and one that does not, and that will be much easier to
maintain and understand for the next 10+ years.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-10-02 14:18 ` Greg KH
(?)
@ 2022-10-03 4:36 ` Zheng Hacker
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-10-03 4:36 UTC (permalink / raw)
To: Greg KH
Cc: Zheng Wang, 1002992920, airlied, alex000young, dri-devel,
intel-gfx, jani.nikula, linux-kernel, security, tvrtko.ursulin
> That is a horrible way to make an api (and it should be a bool too.)
> Now every time you see this call in the code, you have to go look up
> what the last parameter means. Just make 2 functions, one that does the
> "is error" thing, and one that does not, and that will be much easier to
> maintain and understand for the next 10+ years.
Got it. I'll figure out anothr way. :)
Thanks,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-03 4:36 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-10-03 4:36 UTC (permalink / raw)
To: Greg KH
Cc: alex000young, security, tvrtko.ursulin, airlied, intel-gfx,
linux-kernel, dri-devel, 1002992920, Zheng Wang
> That is a horrible way to make an api (and it should be a bool too.)
> Now every time you see this call in the code, you have to go look up
> what the last parameter means. Just make 2 functions, one that does the
> "is error" thing, and one that does not, and that will be much easier to
> maintain and understand for the next 10+ years.
Got it. I'll figure out anothr way. :)
Thanks,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-03 4:36 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-10-03 4:36 UTC (permalink / raw)
To: Greg KH
Cc: alex000young, security, airlied, intel-gfx, linux-kernel,
dri-devel, 1002992920, Zheng Wang
> That is a horrible way to make an api (and it should be a bool too.)
> Now every time you see this call in the code, you have to go look up
> what the last parameter means. Just make 2 functions, one that does the
> "is error" thing, and one that does not, and that will be much easier to
> maintain and understand for the next 10+ years.
Got it. I'll figure out anothr way. :)
Thanks,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* [PATCH v2] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-09-28 3:33 ` Zheng Wang
(?)
@ 2022-10-06 16:58 ` Zheng Wang
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-10-06 16:58 UTC (permalink / raw)
To: zyytlz.wz
Cc: alex000young, security, tvrtko.ursulin, airlied, gregkh,
intel-gfx, hackerzheng666, dri-devel, linux-kernel, 1002992920
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt.
But the caller does not notice that, it will free spt again in error path.
Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
Only free spt when in good case.
Reported-by: Zheng Wang <hackerzheng666@gmail.com>
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v2:
- split initial function into two api function suggested by Greg
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index ce0eb03709c3..55d8e1419302 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -959,6 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
return atomic_dec_return(&spt->refcount);
}
+static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt);
static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
@@ -995,7 +996,7 @@ static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
ops->get_pfn(e));
return -ENXIO;
}
- return ppgtt_invalidate_spt(s);
+ return ppgtt_invalidate_and_free_spt(s);
}
static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
@@ -1016,18 +1017,31 @@ static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
}
-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt)
{
struct intel_vgpu *vgpu = spt->vgpu;
- struct intel_gvt_gtt_entry e;
- unsigned long index;
int ret;
trace_spt_change(spt->vgpu->id, "die", spt,
- spt->guest_page.gfn, spt->shadow_page.type);
-
+ spt->guest_page.gfn, spt->shadow_page.type);
if (ppgtt_put_spt(spt) > 0)
return 0;
+ ret = ppgtt_invalidate_spt(spt);
+ if (!ret) {
+ trace_spt_change(spt->vgpu->id, "release", spt,
+ spt->guest_page.gfn, spt->shadow_page.type);
+ ppgtt_free_spt(spt);
+ }
+
+ return ret;
+}
+
+static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+{
+ struct intel_vgpu *vgpu = spt->vgpu;
+ struct intel_gvt_gtt_entry e;
+ unsigned long index;
+ int ret;
for_each_present_shadow_entry(spt, &e, index) {
switch (e.type) {
@@ -1059,9 +1073,6 @@ static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
}
}
- trace_spt_change(spt->vgpu->id, "release", spt,
- spt->guest_page.gfn, spt->shadow_page.type);
- ppgtt_free_spt(spt);
return 0;
fail:
gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
@@ -1393,7 +1404,7 @@ static int ppgtt_handle_guest_entry_removal(struct intel_vgpu_ppgtt_spt *spt,
ret = -ENXIO;
goto fail;
}
- ret = ppgtt_invalidate_spt(s);
+ ret = ppgtt_invalidate_and_free_spt(s);
if (ret)
goto fail;
} else {
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [PATCH v2] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-06 16:58 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-10-06 16:58 UTC (permalink / raw)
To: zyytlz.wz
Cc: 1002992920, airlied, alex000young, dri-devel, gregkh,
hackerzheng666, intel-gfx, jani.nikula, linux-kernel, security,
tvrtko.ursulin
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt.
But the caller does not notice that, it will free spt again in error path.
Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
Only free spt when in good case.
Reported-by: Zheng Wang <hackerzheng666@gmail.com>
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v2:
- split initial function into two api function suggested by Greg
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index ce0eb03709c3..55d8e1419302 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -959,6 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
return atomic_dec_return(&spt->refcount);
}
+static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt);
static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
@@ -995,7 +996,7 @@ static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
ops->get_pfn(e));
return -ENXIO;
}
- return ppgtt_invalidate_spt(s);
+ return ppgtt_invalidate_and_free_spt(s);
}
static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
@@ -1016,18 +1017,31 @@ static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
}
-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt)
{
struct intel_vgpu *vgpu = spt->vgpu;
- struct intel_gvt_gtt_entry e;
- unsigned long index;
int ret;
trace_spt_change(spt->vgpu->id, "die", spt,
- spt->guest_page.gfn, spt->shadow_page.type);
-
+ spt->guest_page.gfn, spt->shadow_page.type);
if (ppgtt_put_spt(spt) > 0)
return 0;
+ ret = ppgtt_invalidate_spt(spt);
+ if (!ret) {
+ trace_spt_change(spt->vgpu->id, "release", spt,
+ spt->guest_page.gfn, spt->shadow_page.type);
+ ppgtt_free_spt(spt);
+ }
+
+ return ret;
+}
+
+static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+{
+ struct intel_vgpu *vgpu = spt->vgpu;
+ struct intel_gvt_gtt_entry e;
+ unsigned long index;
+ int ret;
for_each_present_shadow_entry(spt, &e, index) {
switch (e.type) {
@@ -1059,9 +1073,6 @@ static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
}
}
- trace_spt_change(spt->vgpu->id, "release", spt,
- spt->guest_page.gfn, spt->shadow_page.type);
- ppgtt_free_spt(spt);
return 0;
fail:
gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
@@ -1393,7 +1404,7 @@ static int ppgtt_handle_guest_entry_removal(struct intel_vgpu_ppgtt_spt *spt,
ret = -ENXIO;
goto fail;
}
- ret = ppgtt_invalidate_spt(s);
+ ret = ppgtt_invalidate_and_free_spt(s);
if (ret)
goto fail;
} else {
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [Intel-gfx] [PATCH v2] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-06 16:58 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-10-06 16:58 UTC (permalink / raw)
To: zyytlz.wz
Cc: alex000young, security, airlied, gregkh, intel-gfx,
hackerzheng666, dri-devel, linux-kernel, 1002992920
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt.
But the caller does not notice that, it will free spt again in error path.
Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
Only free spt when in good case.
Reported-by: Zheng Wang <hackerzheng666@gmail.com>
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v2:
- split initial function into two api function suggested by Greg
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index ce0eb03709c3..55d8e1419302 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -959,6 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
return atomic_dec_return(&spt->refcount);
}
+static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt);
static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
@@ -995,7 +996,7 @@ static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
ops->get_pfn(e));
return -ENXIO;
}
- return ppgtt_invalidate_spt(s);
+ return ppgtt_invalidate_and_free_spt(s);
}
static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
@@ -1016,18 +1017,31 @@ static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
}
-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt)
{
struct intel_vgpu *vgpu = spt->vgpu;
- struct intel_gvt_gtt_entry e;
- unsigned long index;
int ret;
trace_spt_change(spt->vgpu->id, "die", spt,
- spt->guest_page.gfn, spt->shadow_page.type);
-
+ spt->guest_page.gfn, spt->shadow_page.type);
if (ppgtt_put_spt(spt) > 0)
return 0;
+ ret = ppgtt_invalidate_spt(spt);
+ if (!ret) {
+ trace_spt_change(spt->vgpu->id, "release", spt,
+ spt->guest_page.gfn, spt->shadow_page.type);
+ ppgtt_free_spt(spt);
+ }
+
+ return ret;
+}
+
+static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+{
+ struct intel_vgpu *vgpu = spt->vgpu;
+ struct intel_gvt_gtt_entry e;
+ unsigned long index;
+ int ret;
for_each_present_shadow_entry(spt, &e, index) {
switch (e.type) {
@@ -1059,9 +1073,6 @@ static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
}
}
- trace_spt_change(spt->vgpu->id, "release", spt,
- spt->guest_page.gfn, spt->shadow_page.type);
- ppgtt_free_spt(spt);
return 0;
fail:
gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
@@ -1393,7 +1404,7 @@ static int ppgtt_handle_guest_entry_removal(struct intel_vgpu_ppgtt_spt *spt,
ret = -ENXIO;
goto fail;
}
- ret = ppgtt_invalidate_spt(s);
+ ret = ppgtt_invalidate_and_free_spt(s);
if (ret)
goto fail;
} else {
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* Re: [PATCH v2] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-10-06 16:58 ` Zheng Wang
(?)
@ 2022-10-06 19:23 ` Greg KH
-1 siblings, 0 replies; 93+ messages in thread
From: Greg KH @ 2022-10-06 19:23 UTC (permalink / raw)
To: Zheng Wang
Cc: 1002992920, airlied, alex000young, dri-devel, hackerzheng666,
intel-gfx, jani.nikula, linux-kernel, security, tvrtko.ursulin
On Fri, Oct 07, 2022 at 12:58:45AM +0800, Zheng Wang wrote:
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt.
> But the caller does not notice that, it will free spt again in error path.
>
> Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> Only free spt when in good case.
>
> Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---
> v2:
> - split initial function into two api function suggested by Greg
>
> v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 31 +++++++++++++++++++++----------
> 1 file changed, 21 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index ce0eb03709c3..55d8e1419302 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -959,6 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
> return atomic_dec_return(&spt->refcount);
> }
>
> +static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt);
Odd extra space after the 'int', why?
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v2] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-06 19:23 ` Greg KH
0 siblings, 0 replies; 93+ messages in thread
From: Greg KH @ 2022-10-06 19:23 UTC (permalink / raw)
To: Zheng Wang
Cc: alex000young, security, tvrtko.ursulin, airlied, intel-gfx,
hackerzheng666, dri-devel, linux-kernel, 1002992920
On Fri, Oct 07, 2022 at 12:58:45AM +0800, Zheng Wang wrote:
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt.
> But the caller does not notice that, it will free spt again in error path.
>
> Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> Only free spt when in good case.
>
> Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---
> v2:
> - split initial function into two api function suggested by Greg
>
> v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 31 +++++++++++++++++++++----------
> 1 file changed, 21 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index ce0eb03709c3..55d8e1419302 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -959,6 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
> return atomic_dec_return(&spt->refcount);
> }
>
> +static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt);
Odd extra space after the 'int', why?
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v2] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-06 19:23 ` Greg KH
0 siblings, 0 replies; 93+ messages in thread
From: Greg KH @ 2022-10-06 19:23 UTC (permalink / raw)
To: Zheng Wang
Cc: alex000young, security, airlied, intel-gfx, hackerzheng666,
dri-devel, linux-kernel, 1002992920
On Fri, Oct 07, 2022 at 12:58:45AM +0800, Zheng Wang wrote:
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt.
> But the caller does not notice that, it will free spt again in error path.
>
> Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> Only free spt when in good case.
>
> Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---
> v2:
> - split initial function into two api function suggested by Greg
>
> v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 31 +++++++++++++++++++++----------
> 1 file changed, 21 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index ce0eb03709c3..55d8e1419302 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -959,6 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
> return atomic_dec_return(&spt->refcount);
> }
>
> +static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt);
Odd extra space after the 'int', why?
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v2] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-10-06 19:23 ` Greg KH
(?)
@ 2022-10-07 0:39 ` Zheng Hacker
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-10-07 0:39 UTC (permalink / raw)
To: Greg KH
Cc: Zheng Wang, 1002992920, airlied, alex000young, dri-devel,
intel-gfx, jani.nikula, linux-kernel, security, tvrtko.ursulin
Greg KH <gregkh@linuxfoundation.org> 于2022年10月7日周五 03:22写道:
>
> On Fri, Oct 07, 2022 at 12:58:45AM +0800, Zheng Wang wrote:
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally free the spt.
> > But the caller does not notice that, it will free spt again in error path.
> >
> > Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> > Only free spt when in good case.
> >
> > Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> > ---
> > v2:
> > - split initial function into two api function suggested by Greg
> >
> > v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
> > ---
> > drivers/gpu/drm/i915/gvt/gtt.c | 31 +++++++++++++++++++++----------
> > 1 file changed, 21 insertions(+), 10 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> > index ce0eb03709c3..55d8e1419302 100644
> > --- a/drivers/gpu/drm/i915/gvt/gtt.c
> > +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> > @@ -959,6 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
> > return atomic_dec_return(&spt->refcount);
> > }
> >
> > +static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt);
>
> Odd extra space after the 'int', why?
>
Hi Greg,
Sorry it's a spelling mistake. I'll correct it right away :)
Thanks,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v2] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-07 0:39 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-10-07 0:39 UTC (permalink / raw)
To: Greg KH
Cc: alex000young, security, tvrtko.ursulin, airlied, intel-gfx,
linux-kernel, dri-devel, 1002992920, Zheng Wang
Greg KH <gregkh@linuxfoundation.org> 于2022年10月7日周五 03:22写道:
>
> On Fri, Oct 07, 2022 at 12:58:45AM +0800, Zheng Wang wrote:
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally free the spt.
> > But the caller does not notice that, it will free spt again in error path.
> >
> > Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> > Only free spt when in good case.
> >
> > Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> > ---
> > v2:
> > - split initial function into two api function suggested by Greg
> >
> > v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
> > ---
> > drivers/gpu/drm/i915/gvt/gtt.c | 31 +++++++++++++++++++++----------
> > 1 file changed, 21 insertions(+), 10 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> > index ce0eb03709c3..55d8e1419302 100644
> > --- a/drivers/gpu/drm/i915/gvt/gtt.c
> > +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> > @@ -959,6 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
> > return atomic_dec_return(&spt->refcount);
> > }
> >
> > +static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt);
>
> Odd extra space after the 'int', why?
>
Hi Greg,
Sorry it's a spelling mistake. I'll correct it right away :)
Thanks,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v2] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-07 0:39 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-10-07 0:39 UTC (permalink / raw)
To: Greg KH
Cc: alex000young, security, airlied, intel-gfx, linux-kernel,
dri-devel, 1002992920, Zheng Wang
Greg KH <gregkh@linuxfoundation.org> 于2022年10月7日周五 03:22写道:
>
> On Fri, Oct 07, 2022 at 12:58:45AM +0800, Zheng Wang wrote:
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally free the spt.
> > But the caller does not notice that, it will free spt again in error path.
> >
> > Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> > Only free spt when in good case.
> >
> > Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> > ---
> > v2:
> > - split initial function into two api function suggested by Greg
> >
> > v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
> > ---
> > drivers/gpu/drm/i915/gvt/gtt.c | 31 +++++++++++++++++++++----------
> > 1 file changed, 21 insertions(+), 10 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> > index ce0eb03709c3..55d8e1419302 100644
> > --- a/drivers/gpu/drm/i915/gvt/gtt.c
> > +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> > @@ -959,6 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
> > return atomic_dec_return(&spt->refcount);
> > }
> >
> > +static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt);
>
> Odd extra space after the 'int', why?
>
Hi Greg,
Sorry it's a spelling mistake. I'll correct it right away :)
Thanks,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-10-06 19:23 ` Greg KH
(?)
@ 2022-10-07 1:37 ` Zheng Wang
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-10-07 1:37 UTC (permalink / raw)
To: gregkh
Cc: 1002992920, airlied, alex000young, dri-devel, hackerzheng666,
intel-gfx, linux-kernel, security, zyytlz.wz
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt.
But the caller does not notice that, it will free spt again in error path.
Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
Only free spt when in good case.
Reported-by: Zheng Wang <hackerzheng666@gmail.com>
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v3:
- correct spelling mistake and remove unused variable suggested by Greg
v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 32 +++++++++++++++++++++-----------
1 file changed, 21 insertions(+), 11 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index ce0eb03709c3..865d33762e45 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -959,6 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
return atomic_dec_return(&spt->refcount);
}
+static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt);
static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
@@ -995,7 +996,7 @@ static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
ops->get_pfn(e));
return -ENXIO;
}
- return ppgtt_invalidate_spt(s);
+ return ppgtt_invalidate_and_free_spt(s);
}
static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
@@ -1016,18 +1017,30 @@ static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
}
-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt)
{
- struct intel_vgpu *vgpu = spt->vgpu;
- struct intel_gvt_gtt_entry e;
- unsigned long index;
int ret;
trace_spt_change(spt->vgpu->id, "die", spt,
- spt->guest_page.gfn, spt->shadow_page.type);
-
+ spt->guest_page.gfn, spt->shadow_page.type);
if (ppgtt_put_spt(spt) > 0)
return 0;
+ ret = ppgtt_invalidate_spt(spt);
+ if (!ret) {
+ trace_spt_change(spt->vgpu->id, "release", spt,
+ spt->guest_page.gfn, spt->shadow_page.type);
+ ppgtt_free_spt(spt);
+ }
+
+ return ret;
+}
+
+static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+{
+ struct intel_vgpu *vgpu = spt->vgpu;
+ struct intel_gvt_gtt_entry e;
+ unsigned long index;
+ int ret;
for_each_present_shadow_entry(spt, &e, index) {
switch (e.type) {
@@ -1059,9 +1072,6 @@ static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
}
}
- trace_spt_change(spt->vgpu->id, "release", spt,
- spt->guest_page.gfn, spt->shadow_page.type);
- ppgtt_free_spt(spt);
return 0;
fail:
gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
@@ -1393,7 +1403,7 @@ static int ppgtt_handle_guest_entry_removal(struct intel_vgpu_ppgtt_spt *spt,
ret = -ENXIO;
goto fail;
}
- ret = ppgtt_invalidate_spt(s);
+ ret = ppgtt_invalidate_and_free_spt(s);
if (ret)
goto fail;
} else {
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-07 1:37 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-10-07 1:37 UTC (permalink / raw)
To: gregkh
Cc: alex000young, security, airlied, intel-gfx, hackerzheng666,
dri-devel, linux-kernel, 1002992920, zyytlz.wz
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt.
But the caller does not notice that, it will free spt again in error path.
Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
Only free spt when in good case.
Reported-by: Zheng Wang <hackerzheng666@gmail.com>
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v3:
- correct spelling mistake and remove unused variable suggested by Greg
v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 32 +++++++++++++++++++++-----------
1 file changed, 21 insertions(+), 11 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index ce0eb03709c3..865d33762e45 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -959,6 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
return atomic_dec_return(&spt->refcount);
}
+static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt);
static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
@@ -995,7 +996,7 @@ static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
ops->get_pfn(e));
return -ENXIO;
}
- return ppgtt_invalidate_spt(s);
+ return ppgtt_invalidate_and_free_spt(s);
}
static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
@@ -1016,18 +1017,30 @@ static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
}
-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt)
{
- struct intel_vgpu *vgpu = spt->vgpu;
- struct intel_gvt_gtt_entry e;
- unsigned long index;
int ret;
trace_spt_change(spt->vgpu->id, "die", spt,
- spt->guest_page.gfn, spt->shadow_page.type);
-
+ spt->guest_page.gfn, spt->shadow_page.type);
if (ppgtt_put_spt(spt) > 0)
return 0;
+ ret = ppgtt_invalidate_spt(spt);
+ if (!ret) {
+ trace_spt_change(spt->vgpu->id, "release", spt,
+ spt->guest_page.gfn, spt->shadow_page.type);
+ ppgtt_free_spt(spt);
+ }
+
+ return ret;
+}
+
+static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+{
+ struct intel_vgpu *vgpu = spt->vgpu;
+ struct intel_gvt_gtt_entry e;
+ unsigned long index;
+ int ret;
for_each_present_shadow_entry(spt, &e, index) {
switch (e.type) {
@@ -1059,9 +1072,6 @@ static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
}
}
- trace_spt_change(spt->vgpu->id, "release", spt,
- spt->guest_page.gfn, spt->shadow_page.type);
- ppgtt_free_spt(spt);
return 0;
fail:
gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
@@ -1393,7 +1403,7 @@ static int ppgtt_handle_guest_entry_removal(struct intel_vgpu_ppgtt_spt *spt,
ret = -ENXIO;
goto fail;
}
- ret = ppgtt_invalidate_spt(s);
+ ret = ppgtt_invalidate_and_free_spt(s);
if (ret)
goto fail;
} else {
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-07 1:37 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-10-07 1:37 UTC (permalink / raw)
To: gregkh
Cc: alex000young, security, airlied, intel-gfx, hackerzheng666,
dri-devel, linux-kernel, 1002992920, zyytlz.wz
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt.
But the caller does not notice that, it will free spt again in error path.
Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
Only free spt when in good case.
Reported-by: Zheng Wang <hackerzheng666@gmail.com>
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v3:
- correct spelling mistake and remove unused variable suggested by Greg
v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 32 +++++++++++++++++++++-----------
1 file changed, 21 insertions(+), 11 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index ce0eb03709c3..865d33762e45 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -959,6 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
return atomic_dec_return(&spt->refcount);
}
+static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt);
static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
@@ -995,7 +996,7 @@ static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
ops->get_pfn(e));
return -ENXIO;
}
- return ppgtt_invalidate_spt(s);
+ return ppgtt_invalidate_and_free_spt(s);
}
static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
@@ -1016,18 +1017,30 @@ static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
}
-static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt)
{
- struct intel_vgpu *vgpu = spt->vgpu;
- struct intel_gvt_gtt_entry e;
- unsigned long index;
int ret;
trace_spt_change(spt->vgpu->id, "die", spt,
- spt->guest_page.gfn, spt->shadow_page.type);
-
+ spt->guest_page.gfn, spt->shadow_page.type);
if (ppgtt_put_spt(spt) > 0)
return 0;
+ ret = ppgtt_invalidate_spt(spt);
+ if (!ret) {
+ trace_spt_change(spt->vgpu->id, "release", spt,
+ spt->guest_page.gfn, spt->shadow_page.type);
+ ppgtt_free_spt(spt);
+ }
+
+ return ret;
+}
+
+static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
+{
+ struct intel_vgpu *vgpu = spt->vgpu;
+ struct intel_gvt_gtt_entry e;
+ unsigned long index;
+ int ret;
for_each_present_shadow_entry(spt, &e, index) {
switch (e.type) {
@@ -1059,9 +1072,6 @@ static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
}
}
- trace_spt_change(spt->vgpu->id, "release", spt,
- spt->guest_page.gfn, spt->shadow_page.type);
- ppgtt_free_spt(spt);
return 0;
fail:
gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
@@ -1393,7 +1403,7 @@ static int ppgtt_handle_guest_entry_removal(struct intel_vgpu_ppgtt_spt *spt,
ret = -ENXIO;
goto fail;
}
- ret = ppgtt_invalidate_spt(s);
+ ret = ppgtt_invalidate_and_free_spt(s);
if (ret)
goto fail;
} else {
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev5)
2022-09-18 19:24 ` [Intel-gfx] " Zheng Wang
` (5 preceding siblings ...)
(?)
@ 2022-10-10 15:00 ` Patchwork
-1 siblings, 0 replies; 93+ messages in thread
From: Patchwork @ 2022-10-10 15:00 UTC (permalink / raw)
To: Zheng Wang; +Cc: intel-gfx
== Series Details ==
Series: drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev5)
URL : https://patchwork.freedesktop.org/series/108732/
State : warning
== Summary ==
Error: dim checkpatch failed
179c557abab8 drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
-:58: CHECK:PARENTHESIS_ALIGNMENT: Alignment should match open parenthesis
#58: FILE: drivers/gpu/drm/i915/gvt/gtt.c:1031:
+ trace_spt_change(spt->vgpu->id, "release", spt,
+ spt->guest_page.gfn, spt->shadow_page.type);
total: 0 errors, 0 warnings, 1 checks, 68 lines checked
^ permalink raw reply [flat|nested] 93+ messages in thread
* [Intel-gfx] ✗ Fi.CI.BAT: failure for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev5)
2022-09-18 19:24 ` [Intel-gfx] " Zheng Wang
` (6 preceding siblings ...)
(?)
@ 2022-10-10 15:30 ` Patchwork
-1 siblings, 0 replies; 93+ messages in thread
From: Patchwork @ 2022-10-10 15:30 UTC (permalink / raw)
To: Zheng Wang; +Cc: intel-gfx
[-- Attachment #1: Type: text/plain, Size: 7877 bytes --]
== Series Details ==
Series: drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev5)
URL : https://patchwork.freedesktop.org/series/108732/
State : failure
== Summary ==
CI Bug Log - changes from CI_DRM_12230 -> Patchwork_108732v5
====================================================
Summary
-------
**FAILURE**
Serious unknown changes coming with Patchwork_108732v5 absolutely need to be
verified manually.
If you think the reported changes have nothing to do with the changes
introduced in Patchwork_108732v5, please notify your bug team to allow them
to document this new failure mode, which will reduce false positives in CI.
External URL: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/index.html
Participating hosts (47 -> 45)
------------------------------
Additional (1): fi-kbl-soraka
Missing (3): fi-ctg-p8600 bat-adln-1 fi-tgl-dsi
Possible new issues
-------------------
Here are the unknown changes that may have been introduced in Patchwork_108732v5:
### IGT changes ###
#### Possible regressions ####
* igt@i915_suspend@basic-s3-without-i915:
- fi-cml-u2: [PASS][1] -> [INCOMPLETE][2]
[1]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12230/fi-cml-u2/igt@i915_suspend@basic-s3-without-i915.html
[2]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/fi-cml-u2/igt@i915_suspend@basic-s3-without-i915.html
Known issues
------------
Here are the changes found in Patchwork_108732v5 that come from known issues:
### IGT changes ###
#### Issues hit ####
* igt@gem_exec_gttfill@basic:
- fi-kbl-soraka: NOTRUN -> [SKIP][3] ([fdo#109271]) +9 similar issues
[3]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/fi-kbl-soraka/igt@gem_exec_gttfill@basic.html
* igt@gem_huc_copy@huc-copy:
- fi-kbl-soraka: NOTRUN -> [SKIP][4] ([fdo#109271] / [i915#2190])
[4]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/fi-kbl-soraka/igt@gem_huc_copy@huc-copy.html
* igt@gem_lmem_swapping@basic:
- fi-kbl-soraka: NOTRUN -> [SKIP][5] ([fdo#109271] / [i915#4613]) +3 similar issues
[5]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/fi-kbl-soraka/igt@gem_lmem_swapping@basic.html
* igt@i915_module_load@load:
- fi-kbl-soraka: NOTRUN -> [DMESG-WARN][6] ([i915#1982])
[6]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/fi-kbl-soraka/igt@i915_module_load@load.html
* igt@i915_selftest@live@gt_pm:
- fi-kbl-soraka: NOTRUN -> [DMESG-FAIL][7] ([i915#1886])
[7]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/fi-kbl-soraka/igt@i915_selftest@live@gt_pm.html
* igt@i915_selftest@live@hangcheck:
- fi-snb-2600: [PASS][8] -> [INCOMPLETE][9] ([i915#6992])
[8]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12230/fi-snb-2600/igt@i915_selftest@live@hangcheck.html
[9]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/fi-snb-2600/igt@i915_selftest@live@hangcheck.html
* igt@i915_selftest@live@reset:
- fi-kbl-soraka: NOTRUN -> [INCOMPLETE][10] ([i915#7089])
[10]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/fi-kbl-soraka/igt@i915_selftest@live@reset.html
* igt@kms_chamelium@common-hpd-after-suspend:
- fi-rkl-11600: NOTRUN -> [SKIP][11] ([fdo#111827])
[11]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/fi-rkl-11600/igt@kms_chamelium@common-hpd-after-suspend.html
* igt@kms_chamelium@hdmi-hpd-fast:
- fi-kbl-soraka: NOTRUN -> [SKIP][12] ([fdo#109271] / [fdo#111827]) +7 similar issues
[12]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/fi-kbl-soraka/igt@kms_chamelium@hdmi-hpd-fast.html
* igt@kms_force_connector_basic@force-connector-state:
- fi-cfl-8109u: [PASS][13] -> [DMESG-WARN][14] ([i915#62])
[13]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12230/fi-cfl-8109u/igt@kms_force_connector_basic@force-connector-state.html
[14]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/fi-cfl-8109u/igt@kms_force_connector_basic@force-connector-state.html
#### Possible fixes ####
* igt@gem_exec_suspend@basic-s0@smem:
- {bat-rplp-1}: [DMESG-WARN][15] ([i915#2867]) -> [PASS][16]
[15]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12230/bat-rplp-1/igt@gem_exec_suspend@basic-s0@smem.html
[16]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/bat-rplp-1/igt@gem_exec_suspend@basic-s0@smem.html
* igt@i915_selftest@live@late_gt_pm:
- fi-cfl-8109u: [DMESG-WARN][17] ([i915#5904]) -> [PASS][18] +30 similar issues
[17]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12230/fi-cfl-8109u/igt@i915_selftest@live@late_gt_pm.html
[18]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/fi-cfl-8109u/igt@i915_selftest@live@late_gt_pm.html
* igt@i915_selftest@live@reset:
- {bat-rpls-2}: [DMESG-FAIL][19] ([i915#5828]) -> [PASS][20]
[19]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12230/bat-rpls-2/igt@i915_selftest@live@reset.html
[20]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/bat-rpls-2/igt@i915_selftest@live@reset.html
* igt@i915_suspend@basic-s2idle-without-i915:
- fi-cfl-8109u: [DMESG-WARN][21] ([i915#5904] / [i915#62]) -> [PASS][22]
[21]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12230/fi-cfl-8109u/igt@i915_suspend@basic-s2idle-without-i915.html
[22]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/fi-cfl-8109u/igt@i915_suspend@basic-s2idle-without-i915.html
* igt@i915_suspend@basic-s3-without-i915:
- fi-rkl-11600: [INCOMPLETE][23] ([i915#5982]) -> [PASS][24]
[23]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12230/fi-rkl-11600/igt@i915_suspend@basic-s3-without-i915.html
[24]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/fi-rkl-11600/igt@i915_suspend@basic-s3-without-i915.html
{name}: This element is suppressed. This means it is ignored when computing
the status of the difference (SUCCESS, WARNING, or FAILURE).
[fdo#109271]: https://bugs.freedesktop.org/show_bug.cgi?id=109271
[fdo#111827]: https://bugs.freedesktop.org/show_bug.cgi?id=111827
[i915#1886]: https://gitlab.freedesktop.org/drm/intel/issues/1886
[i915#1982]: https://gitlab.freedesktop.org/drm/intel/issues/1982
[i915#2190]: https://gitlab.freedesktop.org/drm/intel/issues/2190
[i915#2582]: https://gitlab.freedesktop.org/drm/intel/issues/2582
[i915#2867]: https://gitlab.freedesktop.org/drm/intel/issues/2867
[i915#4613]: https://gitlab.freedesktop.org/drm/intel/issues/4613
[i915#5828]: https://gitlab.freedesktop.org/drm/intel/issues/5828
[i915#5904]: https://gitlab.freedesktop.org/drm/intel/issues/5904
[i915#5982]: https://gitlab.freedesktop.org/drm/intel/issues/5982
[i915#62]: https://gitlab.freedesktop.org/drm/intel/issues/62
[i915#6367]: https://gitlab.freedesktop.org/drm/intel/issues/6367
[i915#6559]: https://gitlab.freedesktop.org/drm/intel/issues/6559
[i915#6818]: https://gitlab.freedesktop.org/drm/intel/issues/6818
[i915#6992]: https://gitlab.freedesktop.org/drm/intel/issues/6992
[i915#7089]: https://gitlab.freedesktop.org/drm/intel/issues/7089
Build changes
-------------
* Linux: CI_DRM_12230 -> Patchwork_108732v5
CI-20190529: 20190529
CI_DRM_12230: 345932c390f8b2e97a89749633e2c3c523f6f740 @ git://anongit.freedesktop.org/gfx-ci/linux
IGT_7006: ea6d73b73b88de85d921cbc2680ae8979a2c3ce9 @ https://gitlab.freedesktop.org/drm/igt-gpu-tools.git
Patchwork_108732v5: 345932c390f8b2e97a89749633e2c3c523f6f740 @ git://anongit.freedesktop.org/gfx-ci/linux
### Linux commits
329f5e670946 drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
== Logs ==
For more details see: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v5/index.html
[-- Attachment #2: Type: text/html, Size: 9030 bytes --]
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-10-07 1:37 ` Zheng Wang
(?)
@ 2022-10-27 0:01 ` Dave Airlie
-1 siblings, 0 replies; 93+ messages in thread
From: Dave Airlie @ 2022-10-27 0:01 UTC (permalink / raw)
To: Zheng Wang
Cc: alex000young, security, airlied, gregkh, intel-gfx,
hackerzheng666, dri-devel, linux-kernel, 1002992920
On Fri, 7 Oct 2022 at 11:38, Zheng Wang <zyytlz.wz@163.com> wrote:
>
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt.
> But the caller does not notice that, it will free spt again in error path.
>
> Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> Only free spt when in good case.
>
> Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Has this landed in a tree yet, since it's a possible CVE, might be
good to merge it somewhere.
Dave.
> ---
> v3:
> - correct spelling mistake and remove unused variable suggested by Greg
>
> v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
>
> v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 32 +++++++++++++++++++++-----------
> 1 file changed, 21 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index ce0eb03709c3..865d33762e45 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -959,6 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
> return atomic_dec_return(&spt->refcount);
> }
>
> +static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt);
> static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
>
> static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> @@ -995,7 +996,7 @@ static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> ops->get_pfn(e));
> return -ENXIO;
> }
> - return ppgtt_invalidate_spt(s);
> + return ppgtt_invalidate_and_free_spt(s);
> }
>
> static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
> @@ -1016,18 +1017,30 @@ static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
> intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
> }
>
> -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> +static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt)
> {
> - struct intel_vgpu *vgpu = spt->vgpu;
> - struct intel_gvt_gtt_entry e;
> - unsigned long index;
> int ret;
>
> trace_spt_change(spt->vgpu->id, "die", spt,
> - spt->guest_page.gfn, spt->shadow_page.type);
> -
> + spt->guest_page.gfn, spt->shadow_page.type);
> if (ppgtt_put_spt(spt) > 0)
> return 0;
> + ret = ppgtt_invalidate_spt(spt);
> + if (!ret) {
> + trace_spt_change(spt->vgpu->id, "release", spt,
> + spt->guest_page.gfn, spt->shadow_page.type);
> + ppgtt_free_spt(spt);
> + }
> +
> + return ret;
> +}
> +
> +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> +{
> + struct intel_vgpu *vgpu = spt->vgpu;
> + struct intel_gvt_gtt_entry e;
> + unsigned long index;
> + int ret;
>
> for_each_present_shadow_entry(spt, &e, index) {
> switch (e.type) {
> @@ -1059,9 +1072,6 @@ static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> }
> }
>
> - trace_spt_change(spt->vgpu->id, "release", spt,
> - spt->guest_page.gfn, spt->shadow_page.type);
> - ppgtt_free_spt(spt);
> return 0;
> fail:
> gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> @@ -1393,7 +1403,7 @@ static int ppgtt_handle_guest_entry_removal(struct intel_vgpu_ppgtt_spt *spt,
> ret = -ENXIO;
> goto fail;
> }
> - ret = ppgtt_invalidate_spt(s);
> + ret = ppgtt_invalidate_and_free_spt(s);
> if (ret)
> goto fail;
> } else {
> --
> 2.25.1
>
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-27 0:01 ` Dave Airlie
0 siblings, 0 replies; 93+ messages in thread
From: Dave Airlie @ 2022-10-27 0:01 UTC (permalink / raw)
To: Zheng Wang
Cc: gregkh, alex000young, security, airlied, intel-gfx,
hackerzheng666, dri-devel, linux-kernel, 1002992920
On Fri, 7 Oct 2022 at 11:38, Zheng Wang <zyytlz.wz@163.com> wrote:
>
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt.
> But the caller does not notice that, it will free spt again in error path.
>
> Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> Only free spt when in good case.
>
> Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Has this landed in a tree yet, since it's a possible CVE, might be
good to merge it somewhere.
Dave.
> ---
> v3:
> - correct spelling mistake and remove unused variable suggested by Greg
>
> v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
>
> v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 32 +++++++++++++++++++++-----------
> 1 file changed, 21 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index ce0eb03709c3..865d33762e45 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -959,6 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
> return atomic_dec_return(&spt->refcount);
> }
>
> +static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt);
> static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
>
> static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> @@ -995,7 +996,7 @@ static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> ops->get_pfn(e));
> return -ENXIO;
> }
> - return ppgtt_invalidate_spt(s);
> + return ppgtt_invalidate_and_free_spt(s);
> }
>
> static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
> @@ -1016,18 +1017,30 @@ static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
> intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
> }
>
> -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> +static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt)
> {
> - struct intel_vgpu *vgpu = spt->vgpu;
> - struct intel_gvt_gtt_entry e;
> - unsigned long index;
> int ret;
>
> trace_spt_change(spt->vgpu->id, "die", spt,
> - spt->guest_page.gfn, spt->shadow_page.type);
> -
> + spt->guest_page.gfn, spt->shadow_page.type);
> if (ppgtt_put_spt(spt) > 0)
> return 0;
> + ret = ppgtt_invalidate_spt(spt);
> + if (!ret) {
> + trace_spt_change(spt->vgpu->id, "release", spt,
> + spt->guest_page.gfn, spt->shadow_page.type);
> + ppgtt_free_spt(spt);
> + }
> +
> + return ret;
> +}
> +
> +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> +{
> + struct intel_vgpu *vgpu = spt->vgpu;
> + struct intel_gvt_gtt_entry e;
> + unsigned long index;
> + int ret;
>
> for_each_present_shadow_entry(spt, &e, index) {
> switch (e.type) {
> @@ -1059,9 +1072,6 @@ static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> }
> }
>
> - trace_spt_change(spt->vgpu->id, "release", spt,
> - spt->guest_page.gfn, spt->shadow_page.type);
> - ppgtt_free_spt(spt);
> return 0;
> fail:
> gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> @@ -1393,7 +1403,7 @@ static int ppgtt_handle_guest_entry_removal(struct intel_vgpu_ppgtt_spt *spt,
> ret = -ENXIO;
> goto fail;
> }
> - ret = ppgtt_invalidate_spt(s);
> + ret = ppgtt_invalidate_and_free_spt(s);
> if (ret)
> goto fail;
> } else {
> --
> 2.25.1
>
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-27 0:01 ` Dave Airlie
0 siblings, 0 replies; 93+ messages in thread
From: Dave Airlie @ 2022-10-27 0:01 UTC (permalink / raw)
To: Zheng Wang
Cc: alex000young, security, airlied, gregkh, intel-gfx,
hackerzheng666, dri-devel, linux-kernel, 1002992920
On Fri, 7 Oct 2022 at 11:38, Zheng Wang <zyytlz.wz@163.com> wrote:
>
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt.
> But the caller does not notice that, it will free spt again in error path.
>
> Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> Only free spt when in good case.
>
> Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Has this landed in a tree yet, since it's a possible CVE, might be
good to merge it somewhere.
Dave.
> ---
> v3:
> - correct spelling mistake and remove unused variable suggested by Greg
>
> v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
>
> v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 32 +++++++++++++++++++++-----------
> 1 file changed, 21 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index ce0eb03709c3..865d33762e45 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -959,6 +959,7 @@ static inline int ppgtt_put_spt(struct intel_vgpu_ppgtt_spt *spt)
> return atomic_dec_return(&spt->refcount);
> }
>
> +static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt);
> static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt);
>
> static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> @@ -995,7 +996,7 @@ static int ppgtt_invalidate_spt_by_shadow_entry(struct intel_vgpu *vgpu,
> ops->get_pfn(e));
> return -ENXIO;
> }
> - return ppgtt_invalidate_spt(s);
> + return ppgtt_invalidate_and_free_spt(s);
> }
>
> static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
> @@ -1016,18 +1017,30 @@ static inline void ppgtt_invalidate_pte(struct intel_vgpu_ppgtt_spt *spt,
> intel_gvt_dma_unmap_guest_page(vgpu, pfn << PAGE_SHIFT);
> }
>
> -static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> +static int ppgtt_invalidate_and_free_spt(struct intel_vgpu_ppgtt_spt *spt)
> {
> - struct intel_vgpu *vgpu = spt->vgpu;
> - struct intel_gvt_gtt_entry e;
> - unsigned long index;
> int ret;
>
> trace_spt_change(spt->vgpu->id, "die", spt,
> - spt->guest_page.gfn, spt->shadow_page.type);
> -
> + spt->guest_page.gfn, spt->shadow_page.type);
> if (ppgtt_put_spt(spt) > 0)
> return 0;
> + ret = ppgtt_invalidate_spt(spt);
> + if (!ret) {
> + trace_spt_change(spt->vgpu->id, "release", spt,
> + spt->guest_page.gfn, spt->shadow_page.type);
> + ppgtt_free_spt(spt);
> + }
> +
> + return ret;
> +}
> +
> +static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> +{
> + struct intel_vgpu *vgpu = spt->vgpu;
> + struct intel_gvt_gtt_entry e;
> + unsigned long index;
> + int ret;
>
> for_each_present_shadow_entry(spt, &e, index) {
> switch (e.type) {
> @@ -1059,9 +1072,6 @@ static int ppgtt_invalidate_spt(struct intel_vgpu_ppgtt_spt *spt)
> }
> }
>
> - trace_spt_change(spt->vgpu->id, "release", spt,
> - spt->guest_page.gfn, spt->shadow_page.type);
> - ppgtt_free_spt(spt);
> return 0;
> fail:
> gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> @@ -1393,7 +1403,7 @@ static int ppgtt_handle_guest_entry_removal(struct intel_vgpu_ppgtt_spt *spt,
> ret = -ENXIO;
> goto fail;
> }
> - ret = ppgtt_invalidate_spt(s);
> + ret = ppgtt_invalidate_and_free_spt(s);
> if (ret)
> goto fail;
> } else {
> --
> 2.25.1
>
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-10-27 0:01 ` Dave Airlie
(?)
@ 2022-10-27 3:26 ` Zheng Hacker
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-10-27 3:26 UTC (permalink / raw)
To: Dave Airlie
Cc: Zheng Wang, gregkh, alex000young, security, airlied, intel-gfx,
dri-devel, linux-kernel, 1002992920
Dave Airlie <airlied@gmail.com> 于2022年10月27日周四 08:01写道:
>
> On Fri, 7 Oct 2022 at 11:38, Zheng Wang <zyytlz.wz@163.com> wrote:
> >
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally free the spt.
> > But the caller does not notice that, it will free spt again in error path.
> >
> > Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> > Only free spt when in good case.
> >
> > Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
>
> Has this landed in a tree yet, since it's a possible CVE, might be
> good to merge it somewhere.
>
> Dave.
>
Hi Dave,
This patched hasn't been merged yet. Could you please help with this?
Best Regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-27 3:26 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-10-27 3:26 UTC (permalink / raw)
To: Dave Airlie
Cc: alex000young, security, airlied, gregkh, intel-gfx, linux-kernel,
dri-devel, 1002992920, Zheng Wang
Dave Airlie <airlied@gmail.com> 于2022年10月27日周四 08:01写道:
>
> On Fri, 7 Oct 2022 at 11:38, Zheng Wang <zyytlz.wz@163.com> wrote:
> >
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally free the spt.
> > But the caller does not notice that, it will free spt again in error path.
> >
> > Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> > Only free spt when in good case.
> >
> > Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
>
> Has this landed in a tree yet, since it's a possible CVE, might be
> good to merge it somewhere.
>
> Dave.
>
Hi Dave,
This patched hasn't been merged yet. Could you please help with this?
Best Regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-27 3:26 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-10-27 3:26 UTC (permalink / raw)
To: Dave Airlie
Cc: alex000young, security, airlied, gregkh, intel-gfx, linux-kernel,
dri-devel, 1002992920, Zheng Wang
Dave Airlie <airlied@gmail.com> 于2022年10月27日周四 08:01写道:
>
> On Fri, 7 Oct 2022 at 11:38, Zheng Wang <zyytlz.wz@163.com> wrote:
> >
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally free the spt.
> > But the caller does not notice that, it will free spt again in error path.
> >
> > Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> > Only free spt when in good case.
> >
> > Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
>
> Has this landed in a tree yet, since it's a possible CVE, might be
> good to merge it somewhere.
>
> Dave.
>
Hi Dave,
This patched hasn't been merged yet. Could you please help with this?
Best Regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-10-27 3:26 ` Zheng Hacker
(?)
@ 2022-10-27 5:12 ` Dave Airlie
-1 siblings, 0 replies; 93+ messages in thread
From: Dave Airlie @ 2022-10-27 5:12 UTC (permalink / raw)
To: Zheng Hacker
Cc: Zheng Wang, gregkh, alex000young, security, airlied, intel-gfx,
dri-devel, linux-kernel, 1002992920, intel-gvt-dev, zhi.a.wang,
Zhenyu Wang, Jani Nikula
On Thu, 27 Oct 2022 at 13:26, Zheng Hacker <hackerzheng666@gmail.com> wrote:
>
> Dave Airlie <airlied@gmail.com> 于2022年10月27日周四 08:01写道:
> >
> > On Fri, 7 Oct 2022 at 11:38, Zheng Wang <zyytlz.wz@163.com> wrote:
> > >
> > > If intel_gvt_dma_map_guest_page failed, it will call
> > > ppgtt_invalidate_spt, which will finally free the spt.
> > > But the caller does not notice that, it will free spt again in error path.
> > >
> > > Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> > > Only free spt when in good case.
> > >
> > > Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> >
> > Has this landed in a tree yet, since it's a possible CVE, might be
> > good to merge it somewhere.
> >
> > Dave.
> >
>
> Hi Dave,
>
> This patched hasn't been merged yet. Could you please help with this?
I'll add some more people who can probably look at it.
Dave.
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-27 5:12 ` Dave Airlie
0 siblings, 0 replies; 93+ messages in thread
From: Dave Airlie @ 2022-10-27 5:12 UTC (permalink / raw)
To: Zheng Hacker
Cc: alex000young, security, airlied, gregkh, intel-gfx, linux-kernel,
dri-devel, 1002992920, Zheng Wang, intel-gvt-dev, zhi.a.wang
On Thu, 27 Oct 2022 at 13:26, Zheng Hacker <hackerzheng666@gmail.com> wrote:
>
> Dave Airlie <airlied@gmail.com> 于2022年10月27日周四 08:01写道:
> >
> > On Fri, 7 Oct 2022 at 11:38, Zheng Wang <zyytlz.wz@163.com> wrote:
> > >
> > > If intel_gvt_dma_map_guest_page failed, it will call
> > > ppgtt_invalidate_spt, which will finally free the spt.
> > > But the caller does not notice that, it will free spt again in error path.
> > >
> > > Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> > > Only free spt when in good case.
> > >
> > > Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> >
> > Has this landed in a tree yet, since it's a possible CVE, might be
> > good to merge it somewhere.
> >
> > Dave.
> >
>
> Hi Dave,
>
> This patched hasn't been merged yet. Could you please help with this?
I'll add some more people who can probably look at it.
Dave.
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-27 5:12 ` Dave Airlie
0 siblings, 0 replies; 93+ messages in thread
From: Dave Airlie @ 2022-10-27 5:12 UTC (permalink / raw)
To: Zheng Hacker
Cc: alex000young, security, airlied, gregkh, intel-gfx, linux-kernel,
dri-devel, 1002992920, Zheng Wang, intel-gvt-dev
On Thu, 27 Oct 2022 at 13:26, Zheng Hacker <hackerzheng666@gmail.com> wrote:
>
> Dave Airlie <airlied@gmail.com> 于2022年10月27日周四 08:01写道:
> >
> > On Fri, 7 Oct 2022 at 11:38, Zheng Wang <zyytlz.wz@163.com> wrote:
> > >
> > > If intel_gvt_dma_map_guest_page failed, it will call
> > > ppgtt_invalidate_spt, which will finally free the spt.
> > > But the caller does not notice that, it will free spt again in error path.
> > >
> > > Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> > > Only free spt when in good case.
> > >
> > > Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> >
> > Has this landed in a tree yet, since it's a possible CVE, might be
> > good to merge it somewhere.
> >
> > Dave.
> >
>
> Hi Dave,
>
> This patched hasn't been merged yet. Could you please help with this?
I'll add some more people who can probably look at it.
Dave.
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-10-27 5:12 ` Dave Airlie
(?)
@ 2022-10-30 15:10 ` Zheng Hacker
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-10-30 15:10 UTC (permalink / raw)
To: Dave Airlie
Cc: Zheng Wang, gregkh, alex000young, security, airlied, intel-gfx,
dri-devel, linux-kernel, 1002992920, intel-gvt-dev, zhi.a.wang,
Zhenyu Wang, Jani Nikula
Dave Airlie <airlied@gmail.com> 于2022年10月27日周四 13:12写道:
> I'll add some more people who can probably look at it.
>
> Dave.
Got it, Thanks Dave.
Regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-30 15:10 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-10-30 15:10 UTC (permalink / raw)
To: Dave Airlie
Cc: alex000young, security, airlied, gregkh, intel-gfx, linux-kernel,
dri-devel, 1002992920, Zheng Wang, intel-gvt-dev, zhi.a.wang
Dave Airlie <airlied@gmail.com> 于2022年10月27日周四 13:12写道:
> I'll add some more people who can probably look at it.
>
> Dave.
Got it, Thanks Dave.
Regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-10-30 15:10 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-10-30 15:10 UTC (permalink / raw)
To: Dave Airlie
Cc: alex000young, security, airlied, gregkh, intel-gfx, linux-kernel,
dri-devel, 1002992920, Zheng Wang, intel-gvt-dev
Dave Airlie <airlied@gmail.com> 于2022年10月27日周四 13:12写道:
> I'll add some more people who can probably look at it.
>
> Dave.
Got it, Thanks Dave.
Regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-10-27 5:12 ` Dave Airlie
@ 2022-12-15 10:47 ` Joonas Lahtinen
-1 siblings, 0 replies; 93+ messages in thread
From: Joonas Lahtinen @ 2022-12-15 10:47 UTC (permalink / raw)
To: Dave Airlie, Zheng Hacker, Zhenyu Wang, Tvrtko Ursulin
Cc: alex000young, security, airlied, gregkh, intel-gfx, linux-kernel,
dri-devel, 1002992920, Zheng Wang, intel-gvt-dev, zhi.a.wang
(+ Tvrtko as FYI)
Zhenyu, can you take a look at the patch ASAP.
Regards, Joonas
Quoting Dave Airlie (2022-10-27 08:12:31)
> On Thu, 27 Oct 2022 at 13:26, Zheng Hacker <hackerzheng666@gmail.com> wrote:
> >
> > Dave Airlie <airlied@gmail.com> 于2022年10月27日周四 08:01写道:
> > >
> > > On Fri, 7 Oct 2022 at 11:38, Zheng Wang <zyytlz.wz@163.com> wrote:
> > > >
> > > > If intel_gvt_dma_map_guest_page failed, it will call
> > > > ppgtt_invalidate_spt, which will finally free the spt.
> > > > But the caller does not notice that, it will free spt again in error path.
> > > >
> > > > Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> > > > Only free spt when in good case.
> > > >
> > > > Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> > > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> > >
> > > Has this landed in a tree yet, since it's a possible CVE, might be
> > > good to merge it somewhere.
> > >
> > > Dave.
> > >
> >
> > Hi Dave,
> >
> > This patched hasn't been merged yet. Could you please help with this?
>
> I'll add some more people who can probably look at it.
>
> Dave.
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-15 10:47 ` Joonas Lahtinen
0 siblings, 0 replies; 93+ messages in thread
From: Joonas Lahtinen @ 2022-12-15 10:47 UTC (permalink / raw)
To: Dave Airlie, Zheng Hacker, Zhenyu Wang, Tvrtko Ursulin
Cc: alex000young, security, airlied, gregkh, intel-gfx, linux-kernel,
dri-devel, 1002992920, Zheng Wang, intel-gvt-dev
(+ Tvrtko as FYI)
Zhenyu, can you take a look at the patch ASAP.
Regards, Joonas
Quoting Dave Airlie (2022-10-27 08:12:31)
> On Thu, 27 Oct 2022 at 13:26, Zheng Hacker <hackerzheng666@gmail.com> wrote:
> >
> > Dave Airlie <airlied@gmail.com> 于2022年10月27日周四 08:01写道:
> > >
> > > On Fri, 7 Oct 2022 at 11:38, Zheng Wang <zyytlz.wz@163.com> wrote:
> > > >
> > > > If intel_gvt_dma_map_guest_page failed, it will call
> > > > ppgtt_invalidate_spt, which will finally free the spt.
> > > > But the caller does not notice that, it will free spt again in error path.
> > > >
> > > > Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
> > > > Only free spt when in good case.
> > > >
> > > > Reported-by: Zheng Wang <hackerzheng666@gmail.com>
> > > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> > >
> > > Has this landed in a tree yet, since it's a possible CVE, might be
> > > good to merge it somewhere.
> > >
> > > Dave.
> > >
> >
> > Hi Dave,
> >
> > This patched hasn't been merged yet. Could you please help with this?
>
> I'll add some more people who can probably look at it.
>
> Dave.
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-12-15 10:47 ` [Intel-gfx] " Joonas Lahtinen
@ 2022-12-15 11:33 ` Wang, Zhi A
-1 siblings, 0 replies; 93+ messages in thread
From: Wang, Zhi A @ 2022-12-15 11:33 UTC (permalink / raw)
To: Joonas Lahtinen, Dave Airlie, Zheng Hacker, Zhenyu Wang, Tvrtko Ursulin
Cc: alex000young, security, airlied, gregkh, intel-gfx, linux-kernel,
dri-devel, 1002992920, Zheng Wang, intel-gvt-dev
On 12/15/2022 12:47 PM, Joonas Lahtinen wrote:
> (+ Tvrtko as FYI)
>
> Zhenyu, can you take a look at the patch ASAP.
>
> Regards, Joonas
Thanks so much for the reminding and patch.
Actually I don't think it is proper fix as:
split_2MB_gtt_entry() is going to allocate a new spt structure, which is
a PTE page to hold
the mapping of the 2MB. It will map the sub 4k pages for DMA addrs, form
them as PTE
entries, write the entries into the new PTE page, and then link the
page to the parent
table entry so that the GPU can reach it.
Now something wrong happens when mapping the sub 4K pages. What we need
are 1) The
existing mappings of DMA addr need to be un-done and 2) the newly
allocated spt structure
needs to be freed. These can be handle by ppgtt_invalidate_spt() which
will handle the 1)
and 2) based on the type of shadow page table, either recursively or
not. i.e. in this case,
it's a PTE page.
I guess the code wrongly does 1) 2) on the parent page table when
something error happens in
DMA mapping . You can fix it by releasing the newly allocated spt in the
error case and put a
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support") in the
patch comment.
BTW: For sending the patches, you can take a look on "git send-email".
It will promise the correct
format and prevent quite some bumps. For email clients, if you feel mutt
is hard to ramp up,
you can try the Claws Mail. More information can be found in
Documentation/process/email-clients.rst
Thanks,
Zhi.
>
> Quoting Dave Airlie (2022-10-27 08:12:31)
>> On Thu, 27 Oct 2022 at 13:26, Zheng Hacker <hackerzheng666@gmail.com> wrote:
>>> Dave Airlie <airlied@gmail.com> 于2022年10月27日周四 08:01写道:
>>>> On Fri, 7 Oct 2022 at 11:38, Zheng Wang <zyytlz.wz@163.com> wrote:
>>>>> If intel_gvt_dma_map_guest_page failed, it will call
>>>>> ppgtt_invalidate_spt, which will finally free the spt.
>>>>> But the caller does not notice that, it will free spt again in error path.
>>>>>
>>>>> Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
>>>>> Only free spt when in good case.
>>>>>
>>>>> Reported-by: Zheng Wang <hackerzheng666@gmail.com>
>>>>> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
>>>> Has this landed in a tree yet, since it's a possible CVE, might be
>>>> good to merge it somewhere.
>>>>
>>>> Dave.
>>>>
>>> Hi Dave,
>>>
>>> This patched hasn't been merged yet. Could you please help with this?
>> I'll add some more people who can probably look at it.
>>
>> Dave.
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-15 11:33 ` Wang, Zhi A
0 siblings, 0 replies; 93+ messages in thread
From: Wang, Zhi A @ 2022-12-15 11:33 UTC (permalink / raw)
To: Joonas Lahtinen, Dave Airlie, Zheng Hacker, Zhenyu Wang, Tvrtko Ursulin
Cc: alex000young, security, airlied, gregkh, intel-gfx, linux-kernel,
dri-devel, 1002992920, Zheng Wang, intel-gvt-dev
On 12/15/2022 12:47 PM, Joonas Lahtinen wrote:
> (+ Tvrtko as FYI)
>
> Zhenyu, can you take a look at the patch ASAP.
>
> Regards, Joonas
Thanks so much for the reminding and patch.
Actually I don't think it is proper fix as:
split_2MB_gtt_entry() is going to allocate a new spt structure, which is
a PTE page to hold
the mapping of the 2MB. It will map the sub 4k pages for DMA addrs, form
them as PTE
entries, write the entries into the new PTE page, and then link the
page to the parent
table entry so that the GPU can reach it.
Now something wrong happens when mapping the sub 4K pages. What we need
are 1) The
existing mappings of DMA addr need to be un-done and 2) the newly
allocated spt structure
needs to be freed. These can be handle by ppgtt_invalidate_spt() which
will handle the 1)
and 2) based on the type of shadow page table, either recursively or
not. i.e. in this case,
it's a PTE page.
I guess the code wrongly does 1) 2) on the parent page table when
something error happens in
DMA mapping . You can fix it by releasing the newly allocated spt in the
error case and put a
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support") in the
patch comment.
BTW: For sending the patches, you can take a look on "git send-email".
It will promise the correct
format and prevent quite some bumps. For email clients, if you feel mutt
is hard to ramp up,
you can try the Claws Mail. More information can be found in
Documentation/process/email-clients.rst
Thanks,
Zhi.
>
> Quoting Dave Airlie (2022-10-27 08:12:31)
>> On Thu, 27 Oct 2022 at 13:26, Zheng Hacker <hackerzheng666@gmail.com> wrote:
>>> Dave Airlie <airlied@gmail.com> 于2022年10月27日周四 08:01写道:
>>>> On Fri, 7 Oct 2022 at 11:38, Zheng Wang <zyytlz.wz@163.com> wrote:
>>>>> If intel_gvt_dma_map_guest_page failed, it will call
>>>>> ppgtt_invalidate_spt, which will finally free the spt.
>>>>> But the caller does not notice that, it will free spt again in error path.
>>>>>
>>>>> Fix this by spliting invalidate and free in ppgtt_invalidate_spt.
>>>>> Only free spt when in good case.
>>>>>
>>>>> Reported-by: Zheng Wang <hackerzheng666@gmail.com>
>>>>> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
>>>> Has this landed in a tree yet, since it's a possible CVE, might be
>>>> good to merge it somewhere.
>>>>
>>>> Dave.
>>>>
>>> Hi Dave,
>>>
>>> This patched hasn't been merged yet. Could you please help with this?
>> I'll add some more people who can probably look at it.
>>
>> Dave.
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-12-15 11:33 ` [Intel-gfx] " Wang, Zhi A
(?)
@ 2022-12-15 13:26 ` Zheng Hacker
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-12-15 13:26 UTC (permalink / raw)
To: Wang, Zhi A
Cc: Joonas Lahtinen, Dave Airlie, Zhenyu Wang, Tvrtko Ursulin,
alex000young, security, airlied, gregkh, intel-gfx, linux-kernel,
dri-devel, 1002992920, Zheng Wang, intel-gvt-dev
Hi Zhi,
Thanks for your reply and suggestion about fix. I am a little bit busy now.
I will review the code as soon as possible. Also thanks
Joonas for the reminding. We'll try to think out the new fix.
Best regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-15 13:26 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-12-15 13:26 UTC (permalink / raw)
To: Wang, Zhi A
Cc: Tvrtko Ursulin, security, intel-gvt-dev, alex000young, airlied,
gregkh, intel-gfx, linux-kernel, 1002992920, dri-devel,
Zheng Wang
Hi Zhi,
Thanks for your reply and suggestion about fix. I am a little bit busy now.
I will review the code as soon as possible. Also thanks
Joonas for the reminding. We'll try to think out the new fix.
Best regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-15 13:26 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-12-15 13:26 UTC (permalink / raw)
To: Wang, Zhi A
Cc: security, intel-gvt-dev, alex000young, airlied, gregkh,
intel-gfx, linux-kernel, 1002992920, dri-devel, Zheng Wang,
Dave Airlie
Hi Zhi,
Thanks for your reply and suggestion about fix. I am a little bit busy now.
I will review the code as soon as possible. Also thanks
Joonas for the reminding. We'll try to think out the new fix.
Best regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-12-15 11:33 ` [Intel-gfx] " Wang, Zhi A
(?)
@ 2022-12-19 7:57 ` Zheng Wang
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-19 7:57 UTC (permalink / raw)
To: zhi.a.wang
Cc: 1002992920, airlied, airlied, alex000young, dri-devel, gregkh,
hackerzheng666, intel-gfx, intel-gvt-dev, joonas.lahtinen,
linux-kernel, security, tvrtko.ursulin, zhenyuw, zyytlz.wz
Hi Zhi,
Thanks again for your reply and clear explaination about the function.
I still have some doubt about the fix. Here is a invoke chain :
ppgtt_populate_spt
->ppgtt_populate_shadow_entry
->split_2MB_gtt_entry
As far as I'm concerned, when something error happens in DMA mapping,
which will make intel_gvt_dma_map_guest_page return none-zero code,
It will invoke ppgtt_invalidate_spt and call ppgtt_free_spt,which will
finally free spt by kfree. But the caller doesn't notice that and frees
spt by calling ppgtt_free_spt again. This is a typical UAF/Double Free
vulnerability. So I think the key point is about how to handle spt properly.
The handle newly allocated spt (aka sub_spt) is not the root cause of this
issue. Could you please give me more advice about how to fix this security
bug? Besides, I'm not sure if there are more similar problems in othe location.
Best regards,
Zheng Wang
--
2.25.1
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-19 7:57 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-19 7:57 UTC (permalink / raw)
To: zhi.a.wang
Cc: alex000young, security, intel-gvt-dev, tvrtko.ursulin, airlied,
gregkh, intel-gfx, hackerzheng666, dri-devel, linux-kernel,
1002992920, zyytlz.wz
Hi Zhi,
Thanks again for your reply and clear explaination about the function.
I still have some doubt about the fix. Here is a invoke chain :
ppgtt_populate_spt
->ppgtt_populate_shadow_entry
->split_2MB_gtt_entry
As far as I'm concerned, when something error happens in DMA mapping,
which will make intel_gvt_dma_map_guest_page return none-zero code,
It will invoke ppgtt_invalidate_spt and call ppgtt_free_spt,which will
finally free spt by kfree. But the caller doesn't notice that and frees
spt by calling ppgtt_free_spt again. This is a typical UAF/Double Free
vulnerability. So I think the key point is about how to handle spt properly.
The handle newly allocated spt (aka sub_spt) is not the root cause of this
issue. Could you please give me more advice about how to fix this security
bug? Besides, I'm not sure if there are more similar problems in othe location.
Best regards,
Zheng Wang
--
2.25.1
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-19 7:57 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-19 7:57 UTC (permalink / raw)
To: zhi.a.wang
Cc: alex000young, security, intel-gvt-dev, airlied, gregkh,
intel-gfx, hackerzheng666, dri-devel, linux-kernel, 1002992920,
zyytlz.wz, airlied
Hi Zhi,
Thanks again for your reply and clear explaination about the function.
I still have some doubt about the fix. Here is a invoke chain :
ppgtt_populate_spt
->ppgtt_populate_shadow_entry
->split_2MB_gtt_entry
As far as I'm concerned, when something error happens in DMA mapping,
which will make intel_gvt_dma_map_guest_page return none-zero code,
It will invoke ppgtt_invalidate_spt and call ppgtt_free_spt,which will
finally free spt by kfree. But the caller doesn't notice that and frees
spt by calling ppgtt_free_spt again. This is a typical UAF/Double Free
vulnerability. So I think the key point is about how to handle spt properly.
The handle newly allocated spt (aka sub_spt) is not the root cause of this
issue. Could you please give me more advice about how to fix this security
bug? Besides, I'm not sure if there are more similar problems in othe location.
Best regards,
Zheng Wang
--
2.25.1
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-12-19 7:57 ` Zheng Wang
(?)
@ 2022-12-19 8:22 ` Wang, Zhi A
-1 siblings, 0 replies; 93+ messages in thread
From: Wang, Zhi A @ 2022-12-19 8:22 UTC (permalink / raw)
To: Zheng Wang
Cc: 1002992920, airlied, airlied, alex000young, dri-devel, gregkh,
hackerzheng666, intel-gfx, intel-gvt-dev, joonas.lahtinen,
linux-kernel, security, tvrtko.ursulin, zhenyuw
On 12/19/2022 9:57 AM, Zheng Wang wrote:
> Hi Zhi,
>
> Thanks again for your reply and clear explaination about the function.
> I still have some doubt about the fix. Here is a invoke chain :
> ppgtt_populate_spt
> ->ppgtt_populate_shadow_entry
> ->split_2MB_gtt_entry
> As far as I'm concerned, when something error happens in DMA mapping,
> which will make intel_gvt_dma_map_guest_page return none-zero code,
> It will invoke ppgtt_invalidate_spt and call ppgtt_free_spt,which will
> finally free spt by kfree. But the caller doesn't notice that and frees
> spt by calling ppgtt_free_spt again. This is a typical UAF/Double Free
> vulnerability. So I think the key point is about how to handle spt properly.
> The handle newly allocated spt (aka sub_spt) is not the root cause of this
> issue. Could you please give me more advice about how to fix this security
> bug? Besides, I'm not sure if there are more similar problems in othe location.
>
> Best regards,
> Zheng Wang
>
I think it is a case-by-case thing. For example:
The current scenario in this function looks like below:
caller pass spt a
function
alloc spt b
something error
free spt a
return error
The problem is: the function wrongly frees the spt a instead free what
it allocates.
A proper fix should be:
caller pass spt a
function
alloc spt b
something error
*free spt b*
return error
Thanks,
Zhi.
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-19 8:22 ` Wang, Zhi A
0 siblings, 0 replies; 93+ messages in thread
From: Wang, Zhi A @ 2022-12-19 8:22 UTC (permalink / raw)
To: Zheng Wang
Cc: alex000young, security, intel-gvt-dev, tvrtko.ursulin, airlied,
gregkh, intel-gfx, hackerzheng666, dri-devel, linux-kernel,
1002992920
On 12/19/2022 9:57 AM, Zheng Wang wrote:
> Hi Zhi,
>
> Thanks again for your reply and clear explaination about the function.
> I still have some doubt about the fix. Here is a invoke chain :
> ppgtt_populate_spt
> ->ppgtt_populate_shadow_entry
> ->split_2MB_gtt_entry
> As far as I'm concerned, when something error happens in DMA mapping,
> which will make intel_gvt_dma_map_guest_page return none-zero code,
> It will invoke ppgtt_invalidate_spt and call ppgtt_free_spt,which will
> finally free spt by kfree. But the caller doesn't notice that and frees
> spt by calling ppgtt_free_spt again. This is a typical UAF/Double Free
> vulnerability. So I think the key point is about how to handle spt properly.
> The handle newly allocated spt (aka sub_spt) is not the root cause of this
> issue. Could you please give me more advice about how to fix this security
> bug? Besides, I'm not sure if there are more similar problems in othe location.
>
> Best regards,
> Zheng Wang
>
I think it is a case-by-case thing. For example:
The current scenario in this function looks like below:
caller pass spt a
function
alloc spt b
something error
free spt a
return error
The problem is: the function wrongly frees the spt a instead free what
it allocates.
A proper fix should be:
caller pass spt a
function
alloc spt b
something error
*free spt b*
return error
Thanks,
Zhi.
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-19 8:22 ` Wang, Zhi A
0 siblings, 0 replies; 93+ messages in thread
From: Wang, Zhi A @ 2022-12-19 8:22 UTC (permalink / raw)
To: Zheng Wang
Cc: alex000young, security, intel-gvt-dev, airlied, gregkh,
intel-gfx, hackerzheng666, dri-devel, linux-kernel, 1002992920,
airlied
On 12/19/2022 9:57 AM, Zheng Wang wrote:
> Hi Zhi,
>
> Thanks again for your reply and clear explaination about the function.
> I still have some doubt about the fix. Here is a invoke chain :
> ppgtt_populate_spt
> ->ppgtt_populate_shadow_entry
> ->split_2MB_gtt_entry
> As far as I'm concerned, when something error happens in DMA mapping,
> which will make intel_gvt_dma_map_guest_page return none-zero code,
> It will invoke ppgtt_invalidate_spt and call ppgtt_free_spt,which will
> finally free spt by kfree. But the caller doesn't notice that and frees
> spt by calling ppgtt_free_spt again. This is a typical UAF/Double Free
> vulnerability. So I think the key point is about how to handle spt properly.
> The handle newly allocated spt (aka sub_spt) is not the root cause of this
> issue. Could you please give me more advice about how to fix this security
> bug? Besides, I'm not sure if there are more similar problems in othe location.
>
> Best regards,
> Zheng Wang
>
I think it is a case-by-case thing. For example:
The current scenario in this function looks like below:
caller pass spt a
function
alloc spt b
something error
free spt a
return error
The problem is: the function wrongly frees the spt a instead free what
it allocates.
A proper fix should be:
caller pass spt a
function
alloc spt b
something error
*free spt b*
return error
Thanks,
Zhi.
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-12-19 8:22 ` Wang, Zhi A
(?)
@ 2022-12-19 9:21 ` Zheng Wang
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-19 9:21 UTC (permalink / raw)
To: zhi.a.wang
Cc: 1002992920, airlied, airlied, alex000young, dri-devel, gregkh,
hackerzheng666, intel-gfx, intel-gvt-dev, joonas.lahtinen,
linux-kernel, security, tvrtko.ursulin, zhenyuw, zyytlz.wz
Wang, Zhi A <zhi.a.wang@intel.com> 于2022年12月19日周一 16:22写道:
>
> I think it is a case-by-case thing. For example:
>
> The current scenario in this function looks like below:
>
> caller pass spt a
> function
> alloc spt b
> something error
> free spt a
> return error
>
> The problem is: the function wrongly frees the spt a instead free what
> it allocates.
Thanks for your clear explaination. It’s really helpfult to me.
I think I might know how to fix now.
> A proper fix should be:
>
> caller pass spt a
> function
> alloc spt b
> something error
> *free spt b*
> return error
>
As it's a case-by-case thing, I'll extract the un-done-mapping-dma part from
ppgtt_invalidate_spt and put it in error path. Then I'll add the code of freeing
new allocated spt. If I misunderstand your meaning, feel free to let me know.
Working on a new fix now.
Best regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-19 9:21 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-19 9:21 UTC (permalink / raw)
To: zhi.a.wang
Cc: alex000young, security, intel-gvt-dev, tvrtko.ursulin, airlied,
gregkh, intel-gfx, hackerzheng666, dri-devel, linux-kernel,
1002992920, zyytlz.wz
Wang, Zhi A <zhi.a.wang@intel.com> 于2022年12月19日周一 16:22写道:
>
> I think it is a case-by-case thing. For example:
>
> The current scenario in this function looks like below:
>
> caller pass spt a
> function
> alloc spt b
> something error
> free spt a
> return error
>
> The problem is: the function wrongly frees the spt a instead free what
> it allocates.
Thanks for your clear explaination. It’s really helpfult to me.
I think I might know how to fix now.
> A proper fix should be:
>
> caller pass spt a
> function
> alloc spt b
> something error
> *free spt b*
> return error
>
As it's a case-by-case thing, I'll extract the un-done-mapping-dma part from
ppgtt_invalidate_spt and put it in error path. Then I'll add the code of freeing
new allocated spt. If I misunderstand your meaning, feel free to let me know.
Working on a new fix now.
Best regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v3] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-19 9:21 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-19 9:21 UTC (permalink / raw)
To: zhi.a.wang
Cc: alex000young, security, intel-gvt-dev, airlied, gregkh,
intel-gfx, hackerzheng666, dri-devel, linux-kernel, 1002992920,
zyytlz.wz, airlied
Wang, Zhi A <zhi.a.wang@intel.com> 于2022年12月19日周一 16:22写道:
>
> I think it is a case-by-case thing. For example:
>
> The current scenario in this function looks like below:
>
> caller pass spt a
> function
> alloc spt b
> something error
> free spt a
> return error
>
> The problem is: the function wrongly frees the spt a instead free what
> it allocates.
Thanks for your clear explaination. It’s really helpfult to me.
I think I might know how to fix now.
> A proper fix should be:
>
> caller pass spt a
> function
> alloc spt b
> something error
> *free spt b*
> return error
>
As it's a case-by-case thing, I'll extract the un-done-mapping-dma part from
ppgtt_invalidate_spt and put it in error path. Then I'll add the code of freeing
new allocated spt. If I misunderstand your meaning, feel free to let me know.
Working on a new fix now.
Best regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* [PATCH v4] [PATCH v4] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-12-19 8:22 ` Wang, Zhi A
(?)
@ 2022-12-19 12:46 ` Zheng Wang
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-19 12:46 UTC (permalink / raw)
To: zhi.a.wang
Cc: 1002992920, airlied, airlied, alex000young, dri-devel, gregkh,
hackerzheng666, intel-gfx, intel-gvt-dev, joonas.lahtinen,
linux-kernel, security, tvrtko.ursulin, zhenyuw, zyytlz.wz
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt. But the caller does
not notice that, it will free spt again in error path.
Fix this by undoing the mapping of DMA address and freeing sub_spt.
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v4:
- fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
v3:
- correct spelling mistake and remove unused variable suggested by Greg
v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 58 +++++++++++++++++-----------------
1 file changed, 29 insertions(+), 29 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index 45271acc5038..b472e021e5a4 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -1209,7 +1209,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
- if (ret)
+ if (ret)
goto err;
sub_se.val64 = se->val64;
@@ -1233,34 +1233,34 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
/* Undone the existing mappings of DMA addr. */
for_each_present_shadow_entry(spt, &e, parent_index) {
switch (e.type) {
- case GTT_TYPE_PPGTT_PTE_4K_ENTRY:
- gvt_vdbg_mm("invalidate 4K entry\n");
- ppgtt_invalidate_pte(spt, &e);
- break;
- case GTT_TYPE_PPGTT_PTE_64K_ENTRY:
- /* We don't setup 64K shadow entry so far. */
- WARN(1, "suspicious 64K gtt entry\n");
- continue;
- case GTT_TYPE_PPGTT_PTE_2M_ENTRY:
- gvt_vdbg_mm("invalidate 2M entry\n");
- continue;
- case GTT_TYPE_PPGTT_PTE_1G_ENTRY:
- WARN(1, "GVT doesn't support 1GB page\n");
- continue;
- case GTT_TYPE_PPGTT_PML4_ENTRY:
- case GTT_TYPE_PPGTT_PDP_ENTRY:
- case GTT_TYPE_PPGTT_PDE_ENTRY:
- gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n");
- ret1 = ppgtt_invalidate_spt_by_shadow_entry(
- spt->vgpu, &e);
- if (ret1) {
- gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
- spt, e.val64, e.type);
- goto free_spt;
- }
- break;
- default:
- GEM_BUG_ON(1);
+ case GTT_TYPE_PPGTT_PTE_4K_ENTRY:
+ gvt_vdbg_mm("invalidate 4K entry\n");
+ ppgtt_invalidate_pte(spt, &e);
+ break;
+ case GTT_TYPE_PPGTT_PTE_64K_ENTRY:
+ /* We don't setup 64K shadow entry so far. */
+ WARN(1, "suspicious 64K gtt entry\n");
+ continue;
+ case GTT_TYPE_PPGTT_PTE_2M_ENTRY:
+ gvt_vdbg_mm("invalidate 2M entry\n");
+ continue;
+ case GTT_TYPE_PPGTT_PTE_1G_ENTRY:
+ WARN(1, "GVT doesn't support 1GB page\n");
+ continue;
+ case GTT_TYPE_PPGTT_PML4_ENTRY:
+ case GTT_TYPE_PPGTT_PDP_ENTRY:
+ case GTT_TYPE_PPGTT_PDE_ENTRY:
+ gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n");
+ ret1 = ppgtt_invalidate_spt_by_shadow_entry(
+ spt->vgpu, &e);
+ if (ret1) {
+ gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
+ spt, e.val64, e.type);
+ goto free_spt;
+ }
+ break;
+ default:
+ GEM_BUG_ON(1);
}
}
/* Release the new alloced apt. */
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [PATCH v4] [PATCH v4] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-19 12:46 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-19 12:46 UTC (permalink / raw)
To: zhi.a.wang
Cc: alex000young, security, intel-gvt-dev, tvrtko.ursulin, airlied,
gregkh, intel-gfx, hackerzheng666, dri-devel, linux-kernel,
1002992920, zyytlz.wz
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt. But the caller does
not notice that, it will free spt again in error path.
Fix this by undoing the mapping of DMA address and freeing sub_spt.
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v4:
- fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
v3:
- correct spelling mistake and remove unused variable suggested by Greg
v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 58 +++++++++++++++++-----------------
1 file changed, 29 insertions(+), 29 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index 45271acc5038..b472e021e5a4 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -1209,7 +1209,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
- if (ret)
+ if (ret)
goto err;
sub_se.val64 = se->val64;
@@ -1233,34 +1233,34 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
/* Undone the existing mappings of DMA addr. */
for_each_present_shadow_entry(spt, &e, parent_index) {
switch (e.type) {
- case GTT_TYPE_PPGTT_PTE_4K_ENTRY:
- gvt_vdbg_mm("invalidate 4K entry\n");
- ppgtt_invalidate_pte(spt, &e);
- break;
- case GTT_TYPE_PPGTT_PTE_64K_ENTRY:
- /* We don't setup 64K shadow entry so far. */
- WARN(1, "suspicious 64K gtt entry\n");
- continue;
- case GTT_TYPE_PPGTT_PTE_2M_ENTRY:
- gvt_vdbg_mm("invalidate 2M entry\n");
- continue;
- case GTT_TYPE_PPGTT_PTE_1G_ENTRY:
- WARN(1, "GVT doesn't support 1GB page\n");
- continue;
- case GTT_TYPE_PPGTT_PML4_ENTRY:
- case GTT_TYPE_PPGTT_PDP_ENTRY:
- case GTT_TYPE_PPGTT_PDE_ENTRY:
- gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n");
- ret1 = ppgtt_invalidate_spt_by_shadow_entry(
- spt->vgpu, &e);
- if (ret1) {
- gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
- spt, e.val64, e.type);
- goto free_spt;
- }
- break;
- default:
- GEM_BUG_ON(1);
+ case GTT_TYPE_PPGTT_PTE_4K_ENTRY:
+ gvt_vdbg_mm("invalidate 4K entry\n");
+ ppgtt_invalidate_pte(spt, &e);
+ break;
+ case GTT_TYPE_PPGTT_PTE_64K_ENTRY:
+ /* We don't setup 64K shadow entry so far. */
+ WARN(1, "suspicious 64K gtt entry\n");
+ continue;
+ case GTT_TYPE_PPGTT_PTE_2M_ENTRY:
+ gvt_vdbg_mm("invalidate 2M entry\n");
+ continue;
+ case GTT_TYPE_PPGTT_PTE_1G_ENTRY:
+ WARN(1, "GVT doesn't support 1GB page\n");
+ continue;
+ case GTT_TYPE_PPGTT_PML4_ENTRY:
+ case GTT_TYPE_PPGTT_PDP_ENTRY:
+ case GTT_TYPE_PPGTT_PDE_ENTRY:
+ gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n");
+ ret1 = ppgtt_invalidate_spt_by_shadow_entry(
+ spt->vgpu, &e);
+ if (ret1) {
+ gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
+ spt, e.val64, e.type);
+ goto free_spt;
+ }
+ break;
+ default:
+ GEM_BUG_ON(1);
}
}
/* Release the new alloced apt. */
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [Intel-gfx] [PATCH v4] [PATCH v4] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-19 12:46 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-19 12:46 UTC (permalink / raw)
To: zhi.a.wang
Cc: alex000young, security, intel-gvt-dev, airlied, gregkh,
intel-gfx, hackerzheng666, dri-devel, linux-kernel, 1002992920,
zyytlz.wz, airlied
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt. But the caller does
not notice that, it will free spt again in error path.
Fix this by undoing the mapping of DMA address and freeing sub_spt.
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v4:
- fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
v3:
- correct spelling mistake and remove unused variable suggested by Greg
v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 58 +++++++++++++++++-----------------
1 file changed, 29 insertions(+), 29 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index 45271acc5038..b472e021e5a4 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -1209,7 +1209,7 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
- if (ret)
+ if (ret)
goto err;
sub_se.val64 = se->val64;
@@ -1233,34 +1233,34 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
/* Undone the existing mappings of DMA addr. */
for_each_present_shadow_entry(spt, &e, parent_index) {
switch (e.type) {
- case GTT_TYPE_PPGTT_PTE_4K_ENTRY:
- gvt_vdbg_mm("invalidate 4K entry\n");
- ppgtt_invalidate_pte(spt, &e);
- break;
- case GTT_TYPE_PPGTT_PTE_64K_ENTRY:
- /* We don't setup 64K shadow entry so far. */
- WARN(1, "suspicious 64K gtt entry\n");
- continue;
- case GTT_TYPE_PPGTT_PTE_2M_ENTRY:
- gvt_vdbg_mm("invalidate 2M entry\n");
- continue;
- case GTT_TYPE_PPGTT_PTE_1G_ENTRY:
- WARN(1, "GVT doesn't support 1GB page\n");
- continue;
- case GTT_TYPE_PPGTT_PML4_ENTRY:
- case GTT_TYPE_PPGTT_PDP_ENTRY:
- case GTT_TYPE_PPGTT_PDE_ENTRY:
- gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n");
- ret1 = ppgtt_invalidate_spt_by_shadow_entry(
- spt->vgpu, &e);
- if (ret1) {
- gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
- spt, e.val64, e.type);
- goto free_spt;
- }
- break;
- default:
- GEM_BUG_ON(1);
+ case GTT_TYPE_PPGTT_PTE_4K_ENTRY:
+ gvt_vdbg_mm("invalidate 4K entry\n");
+ ppgtt_invalidate_pte(spt, &e);
+ break;
+ case GTT_TYPE_PPGTT_PTE_64K_ENTRY:
+ /* We don't setup 64K shadow entry so far. */
+ WARN(1, "suspicious 64K gtt entry\n");
+ continue;
+ case GTT_TYPE_PPGTT_PTE_2M_ENTRY:
+ gvt_vdbg_mm("invalidate 2M entry\n");
+ continue;
+ case GTT_TYPE_PPGTT_PTE_1G_ENTRY:
+ WARN(1, "GVT doesn't support 1GB page\n");
+ continue;
+ case GTT_TYPE_PPGTT_PML4_ENTRY:
+ case GTT_TYPE_PPGTT_PDP_ENTRY:
+ case GTT_TYPE_PPGTT_PDE_ENTRY:
+ gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n");
+ ret1 = ppgtt_invalidate_spt_by_shadow_entry(
+ spt->vgpu, &e);
+ if (ret1) {
+ gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
+ spt, e.val64, e.type);
+ goto free_spt;
+ }
+ break;
+ default:
+ GEM_BUG_ON(1);
}
}
/* Release the new alloced apt. */
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [RESEND PATCH v4] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-12-19 8:22 ` Wang, Zhi A
(?)
@ 2022-12-19 12:52 ` Zheng Wang
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-19 12:52 UTC (permalink / raw)
To: zhi.a.wang
Cc: 1002992920, airlied, airlied, alex000young, dri-devel, gregkh,
hackerzheng666, intel-gfx, intel-gvt-dev, joonas.lahtinen,
linux-kernel, security, tvrtko.ursulin, zhenyuw, zyytlz.wz
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt. But the caller does
not notice that, it will free spt again in error path.
Fix this by undoing the mapping of DMA address and freeing sub_spt.
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v4:
- fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
v3:
- correct spelling mistake and remove unused variable suggested by Greg
v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 53 +++++++++++++++++++++++++++++-----
1 file changed, 46 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index 51e5e8fb505b..b472e021e5a4 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -1192,11 +1192,11 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
{
const struct intel_gvt_gtt_pte_ops *ops = vgpu->gvt->gtt.pte_ops;
struct intel_vgpu_ppgtt_spt *sub_spt;
- struct intel_gvt_gtt_entry sub_se;
+ struct intel_gvt_gtt_entry sub_se, e;
unsigned long start_gfn;
dma_addr_t dma_addr;
- unsigned long sub_index;
- int ret;
+ unsigned long sub_index, parent_index;
+ int ret, ret1;
gvt_dbg_mm("Split 2M gtt entry, index %lu\n", index);
@@ -1209,10 +1209,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
- if (ret) {
- ppgtt_invalidate_spt(spt);
- return ret;
- }
+ if (ret)
+ goto err;
sub_se.val64 = se->val64;
/* Copy the PAT field from PDE. */
@@ -1231,6 +1229,47 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
ops->set_pfn(se, sub_spt->shadow_page.mfn);
ppgtt_set_shadow_entry(spt, se, index);
return 0;
+err:
+ /* Undone the existing mappings of DMA addr. */
+ for_each_present_shadow_entry(spt, &e, parent_index) {
+ switch (e.type) {
+ case GTT_TYPE_PPGTT_PTE_4K_ENTRY:
+ gvt_vdbg_mm("invalidate 4K entry\n");
+ ppgtt_invalidate_pte(spt, &e);
+ break;
+ case GTT_TYPE_PPGTT_PTE_64K_ENTRY:
+ /* We don't setup 64K shadow entry so far. */
+ WARN(1, "suspicious 64K gtt entry\n");
+ continue;
+ case GTT_TYPE_PPGTT_PTE_2M_ENTRY:
+ gvt_vdbg_mm("invalidate 2M entry\n");
+ continue;
+ case GTT_TYPE_PPGTT_PTE_1G_ENTRY:
+ WARN(1, "GVT doesn't support 1GB page\n");
+ continue;
+ case GTT_TYPE_PPGTT_PML4_ENTRY:
+ case GTT_TYPE_PPGTT_PDP_ENTRY:
+ case GTT_TYPE_PPGTT_PDE_ENTRY:
+ gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n");
+ ret1 = ppgtt_invalidate_spt_by_shadow_entry(
+ spt->vgpu, &e);
+ if (ret1) {
+ gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
+ spt, e.val64, e.type);
+ goto free_spt;
+ }
+ break;
+ default:
+ GEM_BUG_ON(1);
+ }
+ }
+ /* Release the new alloced apt. */
+free_spt:
+ trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
+ sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
+ ppgtt_free_spt(sub_spt);
+ sub_spt = NULL;
+ return ret;
}
static int split_64KB_gtt_entry(struct intel_vgpu *vgpu,
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [RESEND PATCH v4] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-19 12:52 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-19 12:52 UTC (permalink / raw)
To: zhi.a.wang
Cc: alex000young, security, intel-gvt-dev, tvrtko.ursulin, airlied,
gregkh, intel-gfx, hackerzheng666, dri-devel, linux-kernel,
1002992920, zyytlz.wz
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt. But the caller does
not notice that, it will free spt again in error path.
Fix this by undoing the mapping of DMA address and freeing sub_spt.
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v4:
- fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
v3:
- correct spelling mistake and remove unused variable suggested by Greg
v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 53 +++++++++++++++++++++++++++++-----
1 file changed, 46 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index 51e5e8fb505b..b472e021e5a4 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -1192,11 +1192,11 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
{
const struct intel_gvt_gtt_pte_ops *ops = vgpu->gvt->gtt.pte_ops;
struct intel_vgpu_ppgtt_spt *sub_spt;
- struct intel_gvt_gtt_entry sub_se;
+ struct intel_gvt_gtt_entry sub_se, e;
unsigned long start_gfn;
dma_addr_t dma_addr;
- unsigned long sub_index;
- int ret;
+ unsigned long sub_index, parent_index;
+ int ret, ret1;
gvt_dbg_mm("Split 2M gtt entry, index %lu\n", index);
@@ -1209,10 +1209,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
- if (ret) {
- ppgtt_invalidate_spt(spt);
- return ret;
- }
+ if (ret)
+ goto err;
sub_se.val64 = se->val64;
/* Copy the PAT field from PDE. */
@@ -1231,6 +1229,47 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
ops->set_pfn(se, sub_spt->shadow_page.mfn);
ppgtt_set_shadow_entry(spt, se, index);
return 0;
+err:
+ /* Undone the existing mappings of DMA addr. */
+ for_each_present_shadow_entry(spt, &e, parent_index) {
+ switch (e.type) {
+ case GTT_TYPE_PPGTT_PTE_4K_ENTRY:
+ gvt_vdbg_mm("invalidate 4K entry\n");
+ ppgtt_invalidate_pte(spt, &e);
+ break;
+ case GTT_TYPE_PPGTT_PTE_64K_ENTRY:
+ /* We don't setup 64K shadow entry so far. */
+ WARN(1, "suspicious 64K gtt entry\n");
+ continue;
+ case GTT_TYPE_PPGTT_PTE_2M_ENTRY:
+ gvt_vdbg_mm("invalidate 2M entry\n");
+ continue;
+ case GTT_TYPE_PPGTT_PTE_1G_ENTRY:
+ WARN(1, "GVT doesn't support 1GB page\n");
+ continue;
+ case GTT_TYPE_PPGTT_PML4_ENTRY:
+ case GTT_TYPE_PPGTT_PDP_ENTRY:
+ case GTT_TYPE_PPGTT_PDE_ENTRY:
+ gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n");
+ ret1 = ppgtt_invalidate_spt_by_shadow_entry(
+ spt->vgpu, &e);
+ if (ret1) {
+ gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
+ spt, e.val64, e.type);
+ goto free_spt;
+ }
+ break;
+ default:
+ GEM_BUG_ON(1);
+ }
+ }
+ /* Release the new alloced apt. */
+free_spt:
+ trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
+ sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
+ ppgtt_free_spt(sub_spt);
+ sub_spt = NULL;
+ return ret;
}
static int split_64KB_gtt_entry(struct intel_vgpu *vgpu,
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [Intel-gfx] [RESEND PATCH v4] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-19 12:52 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-19 12:52 UTC (permalink / raw)
To: zhi.a.wang
Cc: alex000young, security, intel-gvt-dev, airlied, gregkh,
intel-gfx, hackerzheng666, dri-devel, linux-kernel, 1002992920,
zyytlz.wz, airlied
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt. But the caller does
not notice that, it will free spt again in error path.
Fix this by undoing the mapping of DMA address and freeing sub_spt.
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v4:
- fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
v3:
- correct spelling mistake and remove unused variable suggested by Greg
v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 53 +++++++++++++++++++++++++++++-----
1 file changed, 46 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index 51e5e8fb505b..b472e021e5a4 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -1192,11 +1192,11 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
{
const struct intel_gvt_gtt_pte_ops *ops = vgpu->gvt->gtt.pte_ops;
struct intel_vgpu_ppgtt_spt *sub_spt;
- struct intel_gvt_gtt_entry sub_se;
+ struct intel_gvt_gtt_entry sub_se, e;
unsigned long start_gfn;
dma_addr_t dma_addr;
- unsigned long sub_index;
- int ret;
+ unsigned long sub_index, parent_index;
+ int ret, ret1;
gvt_dbg_mm("Split 2M gtt entry, index %lu\n", index);
@@ -1209,10 +1209,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
- if (ret) {
- ppgtt_invalidate_spt(spt);
- return ret;
- }
+ if (ret)
+ goto err;
sub_se.val64 = se->val64;
/* Copy the PAT field from PDE. */
@@ -1231,6 +1229,47 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
ops->set_pfn(se, sub_spt->shadow_page.mfn);
ppgtt_set_shadow_entry(spt, se, index);
return 0;
+err:
+ /* Undone the existing mappings of DMA addr. */
+ for_each_present_shadow_entry(spt, &e, parent_index) {
+ switch (e.type) {
+ case GTT_TYPE_PPGTT_PTE_4K_ENTRY:
+ gvt_vdbg_mm("invalidate 4K entry\n");
+ ppgtt_invalidate_pte(spt, &e);
+ break;
+ case GTT_TYPE_PPGTT_PTE_64K_ENTRY:
+ /* We don't setup 64K shadow entry so far. */
+ WARN(1, "suspicious 64K gtt entry\n");
+ continue;
+ case GTT_TYPE_PPGTT_PTE_2M_ENTRY:
+ gvt_vdbg_mm("invalidate 2M entry\n");
+ continue;
+ case GTT_TYPE_PPGTT_PTE_1G_ENTRY:
+ WARN(1, "GVT doesn't support 1GB page\n");
+ continue;
+ case GTT_TYPE_PPGTT_PML4_ENTRY:
+ case GTT_TYPE_PPGTT_PDP_ENTRY:
+ case GTT_TYPE_PPGTT_PDE_ENTRY:
+ gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n");
+ ret1 = ppgtt_invalidate_spt_by_shadow_entry(
+ spt->vgpu, &e);
+ if (ret1) {
+ gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
+ spt, e.val64, e.type);
+ goto free_spt;
+ }
+ break;
+ default:
+ GEM_BUG_ON(1);
+ }
+ }
+ /* Release the new alloced apt. */
+free_spt:
+ trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
+ sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
+ ppgtt_free_spt(sub_spt);
+ sub_spt = NULL;
+ return ret;
}
static int split_64KB_gtt_entry(struct intel_vgpu *vgpu,
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* Re: [RESEND PATCH v4] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-12-19 12:52 ` Zheng Wang
(?)
@ 2022-12-20 8:22 ` Zhenyu Wang
-1 siblings, 0 replies; 93+ messages in thread
From: Zhenyu Wang @ 2022-12-20 8:22 UTC (permalink / raw)
To: Zheng Wang
Cc: zhi.a.wang, alex000young, security, intel-gvt-dev,
tvrtko.ursulin, airlied, gregkh, intel-gfx, joonas.lahtinen,
hackerzheng666, dri-devel, linux-kernel, 1002992920, zhenyuw,
airlied
[-- Attachment #1: Type: text/plain, Size: 4376 bytes --]
On 2022.12.19 20:52:04 +0800, Zheng Wang wrote:
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt. But the caller does
> not notice that, it will free spt again in error path.
>
It's not clear from this description which caller is actually wrong,
better to clarify the problem in ppgtt_populate_spt_by_guest_entry() function.
> Fix this by undoing the mapping of DMA address and freeing sub_spt.
>
> Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---
> v4:
> - fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
>
> v3:
> - correct spelling mistake and remove unused variable suggested by Greg
>
> v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
>
> v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 53 +++++++++++++++++++++++++++++-----
> 1 file changed, 46 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index 51e5e8fb505b..b472e021e5a4 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -1192,11 +1192,11 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> {
> const struct intel_gvt_gtt_pte_ops *ops = vgpu->gvt->gtt.pte_ops;
> struct intel_vgpu_ppgtt_spt *sub_spt;
> - struct intel_gvt_gtt_entry sub_se;
> + struct intel_gvt_gtt_entry sub_se, e;
> unsigned long start_gfn;
> dma_addr_t dma_addr;
> - unsigned long sub_index;
> - int ret;
> + unsigned long sub_index, parent_index;
> + int ret, ret1;
>
> gvt_dbg_mm("Split 2M gtt entry, index %lu\n", index);
>
> @@ -1209,10 +1209,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
> ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
> PAGE_SIZE, &dma_addr);
> - if (ret) {
> - ppgtt_invalidate_spt(spt);
> - return ret;
> - }
> + if (ret)
> + goto err;
I think it's fine to remove this and leave to upper caller, but again please
describe the behavior change in commit message as well, e.g to fix the sanity
of spt destroy that leaving previous invalidate and free of spt to caller function
instead of within callee function.
> sub_se.val64 = se->val64;
>
> /* Copy the PAT field from PDE. */
> @@ -1231,6 +1229,47 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> ops->set_pfn(se, sub_spt->shadow_page.mfn);
> ppgtt_set_shadow_entry(spt, se, index);
> return 0;
> +err:
> + /* Undone the existing mappings of DMA addr. */
> + for_each_present_shadow_entry(spt, &e, parent_index) {
sub_spt? We're undoing what's mapped for sub_spt right?
> + switch (e.type) {
> + case GTT_TYPE_PPGTT_PTE_4K_ENTRY:
> + gvt_vdbg_mm("invalidate 4K entry\n");
> + ppgtt_invalidate_pte(spt, &e);
> + break;
> + case GTT_TYPE_PPGTT_PTE_64K_ENTRY:
> + /* We don't setup 64K shadow entry so far. */
> + WARN(1, "suspicious 64K gtt entry\n");
> + continue;
> + case GTT_TYPE_PPGTT_PTE_2M_ENTRY:
> + gvt_vdbg_mm("invalidate 2M entry\n");
> + continue;
> + case GTT_TYPE_PPGTT_PTE_1G_ENTRY:
> + WARN(1, "GVT doesn't support 1GB page\n");
> + continue;
> + case GTT_TYPE_PPGTT_PML4_ENTRY:
> + case GTT_TYPE_PPGTT_PDP_ENTRY:
> + case GTT_TYPE_PPGTT_PDE_ENTRY:
I don't think this all entry type makes sense, as here we just split
2M entry for multiple 4K PTE entry.
> + gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n");
> + ret1 = ppgtt_invalidate_spt_by_shadow_entry(
> + spt->vgpu, &e);
> + if (ret1) {
> + gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> + spt, e.val64, e.type);
> + goto free_spt;
> + }
for above reason, I don't think this is valid.
> + break;
> + default:
> + GEM_BUG_ON(1);
> + }
> + }
> + /* Release the new alloced apt. */
> +free_spt:
> + trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
> + sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
> + ppgtt_free_spt(sub_spt);
> + sub_spt = NULL;
> + return ret;
> }
>
> static int split_64KB_gtt_entry(struct intel_vgpu *vgpu,
> --
> 2.25.1
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [RESEND PATCH v4] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-20 8:22 ` Zhenyu Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zhenyu Wang @ 2022-12-20 8:22 UTC (permalink / raw)
To: Zheng Wang
Cc: alex000young, security, tvrtko.ursulin, airlied, gregkh,
intel-gfx, hackerzheng666, dri-devel, linux-kernel, 1002992920,
intel-gvt-dev, zhi.a.wang
[-- Attachment #1: Type: text/plain, Size: 4376 bytes --]
On 2022.12.19 20:52:04 +0800, Zheng Wang wrote:
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt. But the caller does
> not notice that, it will free spt again in error path.
>
It's not clear from this description which caller is actually wrong,
better to clarify the problem in ppgtt_populate_spt_by_guest_entry() function.
> Fix this by undoing the mapping of DMA address and freeing sub_spt.
>
> Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---
> v4:
> - fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
>
> v3:
> - correct spelling mistake and remove unused variable suggested by Greg
>
> v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
>
> v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 53 +++++++++++++++++++++++++++++-----
> 1 file changed, 46 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index 51e5e8fb505b..b472e021e5a4 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -1192,11 +1192,11 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> {
> const struct intel_gvt_gtt_pte_ops *ops = vgpu->gvt->gtt.pte_ops;
> struct intel_vgpu_ppgtt_spt *sub_spt;
> - struct intel_gvt_gtt_entry sub_se;
> + struct intel_gvt_gtt_entry sub_se, e;
> unsigned long start_gfn;
> dma_addr_t dma_addr;
> - unsigned long sub_index;
> - int ret;
> + unsigned long sub_index, parent_index;
> + int ret, ret1;
>
> gvt_dbg_mm("Split 2M gtt entry, index %lu\n", index);
>
> @@ -1209,10 +1209,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
> ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
> PAGE_SIZE, &dma_addr);
> - if (ret) {
> - ppgtt_invalidate_spt(spt);
> - return ret;
> - }
> + if (ret)
> + goto err;
I think it's fine to remove this and leave to upper caller, but again please
describe the behavior change in commit message as well, e.g to fix the sanity
of spt destroy that leaving previous invalidate and free of spt to caller function
instead of within callee function.
> sub_se.val64 = se->val64;
>
> /* Copy the PAT field from PDE. */
> @@ -1231,6 +1229,47 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> ops->set_pfn(se, sub_spt->shadow_page.mfn);
> ppgtt_set_shadow_entry(spt, se, index);
> return 0;
> +err:
> + /* Undone the existing mappings of DMA addr. */
> + for_each_present_shadow_entry(spt, &e, parent_index) {
sub_spt? We're undoing what's mapped for sub_spt right?
> + switch (e.type) {
> + case GTT_TYPE_PPGTT_PTE_4K_ENTRY:
> + gvt_vdbg_mm("invalidate 4K entry\n");
> + ppgtt_invalidate_pte(spt, &e);
> + break;
> + case GTT_TYPE_PPGTT_PTE_64K_ENTRY:
> + /* We don't setup 64K shadow entry so far. */
> + WARN(1, "suspicious 64K gtt entry\n");
> + continue;
> + case GTT_TYPE_PPGTT_PTE_2M_ENTRY:
> + gvt_vdbg_mm("invalidate 2M entry\n");
> + continue;
> + case GTT_TYPE_PPGTT_PTE_1G_ENTRY:
> + WARN(1, "GVT doesn't support 1GB page\n");
> + continue;
> + case GTT_TYPE_PPGTT_PML4_ENTRY:
> + case GTT_TYPE_PPGTT_PDP_ENTRY:
> + case GTT_TYPE_PPGTT_PDE_ENTRY:
I don't think this all entry type makes sense, as here we just split
2M entry for multiple 4K PTE entry.
> + gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n");
> + ret1 = ppgtt_invalidate_spt_by_shadow_entry(
> + spt->vgpu, &e);
> + if (ret1) {
> + gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> + spt, e.val64, e.type);
> + goto free_spt;
> + }
for above reason, I don't think this is valid.
> + break;
> + default:
> + GEM_BUG_ON(1);
> + }
> + }
> + /* Release the new alloced apt. */
> +free_spt:
> + trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
> + sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
> + ppgtt_free_spt(sub_spt);
> + sub_spt = NULL;
> + return ret;
> }
>
> static int split_64KB_gtt_entry(struct intel_vgpu *vgpu,
> --
> 2.25.1
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [RESEND PATCH v4] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-20 8:22 ` Zhenyu Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zhenyu Wang @ 2022-12-20 8:22 UTC (permalink / raw)
To: Zheng Wang
Cc: alex000young, security, airlied, gregkh, intel-gfx,
hackerzheng666, dri-devel, linux-kernel, 1002992920, airlied,
intel-gvt-dev
[-- Attachment #1: Type: text/plain, Size: 4376 bytes --]
On 2022.12.19 20:52:04 +0800, Zheng Wang wrote:
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt. But the caller does
> not notice that, it will free spt again in error path.
>
It's not clear from this description which caller is actually wrong,
better to clarify the problem in ppgtt_populate_spt_by_guest_entry() function.
> Fix this by undoing the mapping of DMA address and freeing sub_spt.
>
> Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---
> v4:
> - fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
>
> v3:
> - correct spelling mistake and remove unused variable suggested by Greg
>
> v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
>
> v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 53 +++++++++++++++++++++++++++++-----
> 1 file changed, 46 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index 51e5e8fb505b..b472e021e5a4 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -1192,11 +1192,11 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> {
> const struct intel_gvt_gtt_pte_ops *ops = vgpu->gvt->gtt.pte_ops;
> struct intel_vgpu_ppgtt_spt *sub_spt;
> - struct intel_gvt_gtt_entry sub_se;
> + struct intel_gvt_gtt_entry sub_se, e;
> unsigned long start_gfn;
> dma_addr_t dma_addr;
> - unsigned long sub_index;
> - int ret;
> + unsigned long sub_index, parent_index;
> + int ret, ret1;
>
> gvt_dbg_mm("Split 2M gtt entry, index %lu\n", index);
>
> @@ -1209,10 +1209,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
> ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
> PAGE_SIZE, &dma_addr);
> - if (ret) {
> - ppgtt_invalidate_spt(spt);
> - return ret;
> - }
> + if (ret)
> + goto err;
I think it's fine to remove this and leave to upper caller, but again please
describe the behavior change in commit message as well, e.g to fix the sanity
of spt destroy that leaving previous invalidate and free of spt to caller function
instead of within callee function.
> sub_se.val64 = se->val64;
>
> /* Copy the PAT field from PDE. */
> @@ -1231,6 +1229,47 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> ops->set_pfn(se, sub_spt->shadow_page.mfn);
> ppgtt_set_shadow_entry(spt, se, index);
> return 0;
> +err:
> + /* Undone the existing mappings of DMA addr. */
> + for_each_present_shadow_entry(spt, &e, parent_index) {
sub_spt? We're undoing what's mapped for sub_spt right?
> + switch (e.type) {
> + case GTT_TYPE_PPGTT_PTE_4K_ENTRY:
> + gvt_vdbg_mm("invalidate 4K entry\n");
> + ppgtt_invalidate_pte(spt, &e);
> + break;
> + case GTT_TYPE_PPGTT_PTE_64K_ENTRY:
> + /* We don't setup 64K shadow entry so far. */
> + WARN(1, "suspicious 64K gtt entry\n");
> + continue;
> + case GTT_TYPE_PPGTT_PTE_2M_ENTRY:
> + gvt_vdbg_mm("invalidate 2M entry\n");
> + continue;
> + case GTT_TYPE_PPGTT_PTE_1G_ENTRY:
> + WARN(1, "GVT doesn't support 1GB page\n");
> + continue;
> + case GTT_TYPE_PPGTT_PML4_ENTRY:
> + case GTT_TYPE_PPGTT_PDP_ENTRY:
> + case GTT_TYPE_PPGTT_PDE_ENTRY:
I don't think this all entry type makes sense, as here we just split
2M entry for multiple 4K PTE entry.
> + gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n");
> + ret1 = ppgtt_invalidate_spt_by_shadow_entry(
> + spt->vgpu, &e);
> + if (ret1) {
> + gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> + spt, e.val64, e.type);
> + goto free_spt;
> + }
for above reason, I don't think this is valid.
> + break;
> + default:
> + GEM_BUG_ON(1);
> + }
> + }
> + /* Release the new alloced apt. */
> +free_spt:
> + trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
> + sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
> + ppgtt_free_spt(sub_spt);
> + sub_spt = NULL;
> + return ret;
> }
>
> static int split_64KB_gtt_entry(struct intel_vgpu *vgpu,
> --
> 2.25.1
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [RESEND PATCH v4] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-12-20 8:22 ` Zhenyu Wang
(?)
@ 2022-12-20 9:03 ` Zheng Hacker
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-12-20 9:03 UTC (permalink / raw)
To: Zhenyu Wang
Cc: Zheng Wang, zhi.a.wang, alex000young, security, intel-gvt-dev,
tvrtko.ursulin, airlied, gregkh, intel-gfx, joonas.lahtinen,
dri-devel, linux-kernel, 1002992920, airlied
Zhenyu Wang <zhenyuw@linux.intel.com> 于2022年12月20日周二 16:25写道:
>
> On 2022.12.19 20:52:04 +0800, Zheng Wang wrote:
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally free the spt. But the caller does
> > not notice that, it will free spt again in error path.
> >
>
> It's not clear from this description which caller is actually wrong,
> better to clarify the problem in ppgtt_populate_spt_by_guest_entry() function.
>
Get it, will do in the next fix.
> > PAGE_SIZE, &dma_addr);
> > - if (ret) {
> > - ppgtt_invalidate_spt(spt);
> > - return ret;
> > - }
> > + if (ret)
> > + goto err;
>
> I think it's fine to remove this and leave to upper caller, but again please
> describe the behavior change in commit message as well, e.g to fix the sanity
> of spt destroy that leaving previous invalidate and free of spt to caller function
> instead of within callee function.
Sorry for my bad habit. Will do in the next version.
> > sub_se.val64 = se->val64;
> >
> > /* Copy the PAT field from PDE. */
> > @@ -1231,6 +1229,47 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> > ops->set_pfn(se, sub_spt->shadow_page.mfn);
> > ppgtt_set_shadow_entry(spt, se, index);
> > return 0;
> > +err:
> > + /* Undone the existing mappings of DMA addr. */
> > + for_each_present_shadow_entry(spt, &e, parent_index) {
>
> sub_spt? We're undoing what's mapped for sub_spt right?
Yes, will change it to sub_spt in the next version.
>
> > + switch (e.type) {
> > + case GTT_TYPE_PPGTT_PTE_4K_ENTRY:
> > + gvt_vdbg_mm("invalidate 4K entry\n");
> > + ppgtt_invalidate_pte(spt, &e);
> > + break;
> > + case GTT_TYPE_PPGTT_PTE_64K_ENTRY:
> > + /* We don't setup 64K shadow entry so far. */
> > + WARN(1, "suspicious 64K gtt entry\n");
> > + continue;
> > + case GTT_TYPE_PPGTT_PTE_2M_ENTRY:
> > + gvt_vdbg_mm("invalidate 2M entry\n");
> > + continue;
> > + case GTT_TYPE_PPGTT_PTE_1G_ENTRY:
> > + WARN(1, "GVT doesn't support 1GB page\n");
> > + continue;
> > + case GTT_TYPE_PPGTT_PML4_ENTRY:
> > + case GTT_TYPE_PPGTT_PDP_ENTRY:
> > + case GTT_TYPE_PPGTT_PDE_ENTRY:
>
> I don't think this all entry type makes sense, as here we just split
> 2M entry for multiple 4K PTE entry.
I got it. I will leave the code for handling 4K PTE entry only.
>
> > + gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n");
> > + ret1 = ppgtt_invalidate_spt_by_shadow_entry(
> > + spt->vgpu, &e);
> > + if (ret1) {
> > + gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> > + spt, e.val64, e.type);
> > + goto free_spt;
> > + }
>
> for above reason, I don't think this is valid.
Got it.
Thanks for your carefully reviewing. I'll try to fix that in the coming patch.
Best regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [RESEND PATCH v4] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-20 9:03 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-12-20 9:03 UTC (permalink / raw)
To: Zhenyu Wang
Cc: alex000young, security, tvrtko.ursulin, airlied, gregkh,
intel-gfx, linux-kernel, dri-devel, 1002992920, Zheng Wang,
intel-gvt-dev, zhi.a.wang
Zhenyu Wang <zhenyuw@linux.intel.com> 于2022年12月20日周二 16:25写道:
>
> On 2022.12.19 20:52:04 +0800, Zheng Wang wrote:
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally free the spt. But the caller does
> > not notice that, it will free spt again in error path.
> >
>
> It's not clear from this description which caller is actually wrong,
> better to clarify the problem in ppgtt_populate_spt_by_guest_entry() function.
>
Get it, will do in the next fix.
> > PAGE_SIZE, &dma_addr);
> > - if (ret) {
> > - ppgtt_invalidate_spt(spt);
> > - return ret;
> > - }
> > + if (ret)
> > + goto err;
>
> I think it's fine to remove this and leave to upper caller, but again please
> describe the behavior change in commit message as well, e.g to fix the sanity
> of spt destroy that leaving previous invalidate and free of spt to caller function
> instead of within callee function.
Sorry for my bad habit. Will do in the next version.
> > sub_se.val64 = se->val64;
> >
> > /* Copy the PAT field from PDE. */
> > @@ -1231,6 +1229,47 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> > ops->set_pfn(se, sub_spt->shadow_page.mfn);
> > ppgtt_set_shadow_entry(spt, se, index);
> > return 0;
> > +err:
> > + /* Undone the existing mappings of DMA addr. */
> > + for_each_present_shadow_entry(spt, &e, parent_index) {
>
> sub_spt? We're undoing what's mapped for sub_spt right?
Yes, will change it to sub_spt in the next version.
>
> > + switch (e.type) {
> > + case GTT_TYPE_PPGTT_PTE_4K_ENTRY:
> > + gvt_vdbg_mm("invalidate 4K entry\n");
> > + ppgtt_invalidate_pte(spt, &e);
> > + break;
> > + case GTT_TYPE_PPGTT_PTE_64K_ENTRY:
> > + /* We don't setup 64K shadow entry so far. */
> > + WARN(1, "suspicious 64K gtt entry\n");
> > + continue;
> > + case GTT_TYPE_PPGTT_PTE_2M_ENTRY:
> > + gvt_vdbg_mm("invalidate 2M entry\n");
> > + continue;
> > + case GTT_TYPE_PPGTT_PTE_1G_ENTRY:
> > + WARN(1, "GVT doesn't support 1GB page\n");
> > + continue;
> > + case GTT_TYPE_PPGTT_PML4_ENTRY:
> > + case GTT_TYPE_PPGTT_PDP_ENTRY:
> > + case GTT_TYPE_PPGTT_PDE_ENTRY:
>
> I don't think this all entry type makes sense, as here we just split
> 2M entry for multiple 4K PTE entry.
I got it. I will leave the code for handling 4K PTE entry only.
>
> > + gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n");
> > + ret1 = ppgtt_invalidate_spt_by_shadow_entry(
> > + spt->vgpu, &e);
> > + if (ret1) {
> > + gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> > + spt, e.val64, e.type);
> > + goto free_spt;
> > + }
>
> for above reason, I don't think this is valid.
Got it.
Thanks for your carefully reviewing. I'll try to fix that in the coming patch.
Best regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [RESEND PATCH v4] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-20 9:03 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-12-20 9:03 UTC (permalink / raw)
To: Zhenyu Wang
Cc: alex000young, security, airlied, gregkh, intel-gfx, linux-kernel,
dri-devel, 1002992920, airlied, Zheng Wang, intel-gvt-dev
Zhenyu Wang <zhenyuw@linux.intel.com> 于2022年12月20日周二 16:25写道:
>
> On 2022.12.19 20:52:04 +0800, Zheng Wang wrote:
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally free the spt. But the caller does
> > not notice that, it will free spt again in error path.
> >
>
> It's not clear from this description which caller is actually wrong,
> better to clarify the problem in ppgtt_populate_spt_by_guest_entry() function.
>
Get it, will do in the next fix.
> > PAGE_SIZE, &dma_addr);
> > - if (ret) {
> > - ppgtt_invalidate_spt(spt);
> > - return ret;
> > - }
> > + if (ret)
> > + goto err;
>
> I think it's fine to remove this and leave to upper caller, but again please
> describe the behavior change in commit message as well, e.g to fix the sanity
> of spt destroy that leaving previous invalidate and free of spt to caller function
> instead of within callee function.
Sorry for my bad habit. Will do in the next version.
> > sub_se.val64 = se->val64;
> >
> > /* Copy the PAT field from PDE. */
> > @@ -1231,6 +1229,47 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> > ops->set_pfn(se, sub_spt->shadow_page.mfn);
> > ppgtt_set_shadow_entry(spt, se, index);
> > return 0;
> > +err:
> > + /* Undone the existing mappings of DMA addr. */
> > + for_each_present_shadow_entry(spt, &e, parent_index) {
>
> sub_spt? We're undoing what's mapped for sub_spt right?
Yes, will change it to sub_spt in the next version.
>
> > + switch (e.type) {
> > + case GTT_TYPE_PPGTT_PTE_4K_ENTRY:
> > + gvt_vdbg_mm("invalidate 4K entry\n");
> > + ppgtt_invalidate_pte(spt, &e);
> > + break;
> > + case GTT_TYPE_PPGTT_PTE_64K_ENTRY:
> > + /* We don't setup 64K shadow entry so far. */
> > + WARN(1, "suspicious 64K gtt entry\n");
> > + continue;
> > + case GTT_TYPE_PPGTT_PTE_2M_ENTRY:
> > + gvt_vdbg_mm("invalidate 2M entry\n");
> > + continue;
> > + case GTT_TYPE_PPGTT_PTE_1G_ENTRY:
> > + WARN(1, "GVT doesn't support 1GB page\n");
> > + continue;
> > + case GTT_TYPE_PPGTT_PML4_ENTRY:
> > + case GTT_TYPE_PPGTT_PDP_ENTRY:
> > + case GTT_TYPE_PPGTT_PDE_ENTRY:
>
> I don't think this all entry type makes sense, as here we just split
> 2M entry for multiple 4K PTE entry.
I got it. I will leave the code for handling 4K PTE entry only.
>
> > + gvt_vdbg_mm("invalidate PMUL4/PDP/PDE entry\n");
> > + ret1 = ppgtt_invalidate_spt_by_shadow_entry(
> > + spt->vgpu, &e);
> > + if (ret1) {
> > + gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
> > + spt, e.val64, e.type);
> > + goto free_spt;
> > + }
>
> for above reason, I don't think this is valid.
Got it.
Thanks for your carefully reviewing. I'll try to fix that in the coming patch.
Best regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* [PATCH v5] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-12-19 8:22 ` Wang, Zhi A
(?)
@ 2022-12-20 9:40 ` Zheng Wang
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-20 9:40 UTC (permalink / raw)
To: zhi.a.wang
Cc: 1002992920, airlied, airlied, alex000young, dri-devel, gregkh,
hackerzheng666, intel-gfx, intel-gvt-dev, joonas.lahtinen,
linux-kernel, security, tvrtko.ursulin, zhenyuw, zyytlz.wz
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt. But the
caller function ppgtt_populate_spt_by_guest_entry does not notice
that, it will free spt again in its error path.
Fix this by undoing the mapping of DMA address and freeing sub_spt.
Besides, leave the handle of spt destroy to caller function instead of
callee function when error occurs.
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v5:
- remove unnecessary switch-case code for there is only one particular case,
correct the unmap target from parent_spt to sub_spt.add more details in
commit message. All suggested by Zhenyu
v4:
- fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
v3:
- correct spelling mistake and remove unused variable suggested by Greg
v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index 51e5e8fb505b..4d478a59eb7d 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -1209,10 +1209,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
- if (ret) {
- ppgtt_invalidate_spt(spt);
- return ret;
- }
+ if (ret)
+ goto err;
sub_se.val64 = se->val64;
/* Copy the PAT field from PDE. */
@@ -1231,6 +1229,18 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
ops->set_pfn(se, sub_spt->shadow_page.mfn);
ppgtt_set_shadow_entry(spt, se, index);
return 0;
+err:
+ /* Undone the existing mappings of DMA addr. */
+ for_each_present_shadow_entry(sub_spt, &sub_se, sub_index) {
+ gvt_vdbg_mm("invalidate 4K entry\n");
+ ppgtt_invalidate_pte(sub_spt, &sub_se);
+ }
+ /* Release the new allocated spt. */
+ trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
+ sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
+ ppgtt_free_spt(sub_spt);
+ sub_spt = NULL;
+ return ret;
}
static int split_64KB_gtt_entry(struct intel_vgpu *vgpu,
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [PATCH v5] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-20 9:40 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-20 9:40 UTC (permalink / raw)
To: zhi.a.wang
Cc: alex000young, security, intel-gvt-dev, tvrtko.ursulin, airlied,
gregkh, intel-gfx, hackerzheng666, dri-devel, linux-kernel,
1002992920, zyytlz.wz
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt. But the
caller function ppgtt_populate_spt_by_guest_entry does not notice
that, it will free spt again in its error path.
Fix this by undoing the mapping of DMA address and freeing sub_spt.
Besides, leave the handle of spt destroy to caller function instead of
callee function when error occurs.
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v5:
- remove unnecessary switch-case code for there is only one particular case,
correct the unmap target from parent_spt to sub_spt.add more details in
commit message. All suggested by Zhenyu
v4:
- fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
v3:
- correct spelling mistake and remove unused variable suggested by Greg
v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index 51e5e8fb505b..4d478a59eb7d 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -1209,10 +1209,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
- if (ret) {
- ppgtt_invalidate_spt(spt);
- return ret;
- }
+ if (ret)
+ goto err;
sub_se.val64 = se->val64;
/* Copy the PAT field from PDE. */
@@ -1231,6 +1229,18 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
ops->set_pfn(se, sub_spt->shadow_page.mfn);
ppgtt_set_shadow_entry(spt, se, index);
return 0;
+err:
+ /* Undone the existing mappings of DMA addr. */
+ for_each_present_shadow_entry(sub_spt, &sub_se, sub_index) {
+ gvt_vdbg_mm("invalidate 4K entry\n");
+ ppgtt_invalidate_pte(sub_spt, &sub_se);
+ }
+ /* Release the new allocated spt. */
+ trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
+ sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
+ ppgtt_free_spt(sub_spt);
+ sub_spt = NULL;
+ return ret;
}
static int split_64KB_gtt_entry(struct intel_vgpu *vgpu,
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [Intel-gfx] [PATCH v5] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-20 9:40 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-20 9:40 UTC (permalink / raw)
To: zhi.a.wang
Cc: alex000young, security, intel-gvt-dev, airlied, gregkh,
intel-gfx, hackerzheng666, dri-devel, linux-kernel, 1002992920,
zyytlz.wz, airlied
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt. But the
caller function ppgtt_populate_spt_by_guest_entry does not notice
that, it will free spt again in its error path.
Fix this by undoing the mapping of DMA address and freeing sub_spt.
Besides, leave the handle of spt destroy to caller function instead of
callee function when error occurs.
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
v5:
- remove unnecessary switch-case code for there is only one particular case,
correct the unmap target from parent_spt to sub_spt.add more details in
commit message. All suggested by Zhenyu
v4:
- fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
v3:
- correct spelling mistake and remove unused variable suggested by Greg
v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index 51e5e8fb505b..4d478a59eb7d 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -1209,10 +1209,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
- if (ret) {
- ppgtt_invalidate_spt(spt);
- return ret;
- }
+ if (ret)
+ goto err;
sub_se.val64 = se->val64;
/* Copy the PAT field from PDE. */
@@ -1231,6 +1229,18 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
ops->set_pfn(se, sub_spt->shadow_page.mfn);
ppgtt_set_shadow_entry(spt, se, index);
return 0;
+err:
+ /* Undone the existing mappings of DMA addr. */
+ for_each_present_shadow_entry(sub_spt, &sub_se, sub_index) {
+ gvt_vdbg_mm("invalidate 4K entry\n");
+ ppgtt_invalidate_pte(sub_spt, &sub_se);
+ }
+ /* Release the new allocated spt. */
+ trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
+ sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
+ ppgtt_free_spt(sub_spt);
+ sub_spt = NULL;
+ return ret;
}
static int split_64KB_gtt_entry(struct intel_vgpu *vgpu,
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* Re: [PATCH v5] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-12-20 9:40 ` Zheng Wang
(?)
@ 2022-12-21 2:58 ` Zhenyu Wang
-1 siblings, 0 replies; 93+ messages in thread
From: Zhenyu Wang @ 2022-12-21 2:58 UTC (permalink / raw)
To: Zheng Wang
Cc: zhi.a.wang, alex000young, security, intel-gvt-dev,
tvrtko.ursulin, airlied, gregkh, intel-gfx, joonas.lahtinen,
hackerzheng666, dri-devel, linux-kernel, 1002992920, zhenyuw,
airlied
[-- Attachment #1: Type: text/plain, Size: 2875 bytes --]
On 2022.12.20 17:40:14 +0800, Zheng Wang wrote:
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt. But the
> caller function ppgtt_populate_spt_by_guest_entry does not notice
> that, it will free spt again in its error path.
indent
>
> Fix this by undoing the mapping of DMA address and freeing sub_spt.
> Besides, leave the handle of spt destroy to caller function instead of
> callee function when error occurs.
>
> Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---
> v5:
> - remove unnecessary switch-case code for there is only one particular case,
> correct the unmap target from parent_spt to sub_spt.add more details in
> commit message. All suggested by Zhenyu
>
> v4:
> - fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
>
> v3:
> - correct spelling mistake and remove unused variable suggested by Greg
>
> v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
>
> v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 18 ++++++++++++++----
> 1 file changed, 14 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index 51e5e8fb505b..4d478a59eb7d 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -1209,10 +1209,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
> ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
> PAGE_SIZE, &dma_addr);
> - if (ret) {
> - ppgtt_invalidate_spt(spt);
> - return ret;
> - }
> + if (ret)
> + goto err;
> sub_se.val64 = se->val64;
>
> /* Copy the PAT field from PDE. */
> @@ -1231,6 +1229,18 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> ops->set_pfn(se, sub_spt->shadow_page.mfn);
> ppgtt_set_shadow_entry(spt, se, index);
> return 0;
> +err:
> + /* Undone the existing mappings of DMA addr. */
We need a verb here for Undo.
> + for_each_present_shadow_entry(sub_spt, &sub_se, sub_index) {
> + gvt_vdbg_mm("invalidate 4K entry\n");
> + ppgtt_invalidate_pte(sub_spt, &sub_se);
> + }
> + /* Release the new allocated spt. */
> + trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
> + sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
> + ppgtt_free_spt(sub_spt);
> + sub_spt = NULL;
Not need to reset local variable that has no use then.
I'll handle these trivial fixes during the merge.
Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>
thanks
> + return ret;
> }
>
> static int split_64KB_gtt_entry(struct intel_vgpu *vgpu,
> --
> 2.25.1
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v5] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-21 2:58 ` Zhenyu Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zhenyu Wang @ 2022-12-21 2:58 UTC (permalink / raw)
To: Zheng Wang
Cc: alex000young, security, tvrtko.ursulin, airlied, gregkh,
intel-gfx, hackerzheng666, dri-devel, linux-kernel, 1002992920,
intel-gvt-dev, zhi.a.wang
[-- Attachment #1: Type: text/plain, Size: 2875 bytes --]
On 2022.12.20 17:40:14 +0800, Zheng Wang wrote:
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt. But the
> caller function ppgtt_populate_spt_by_guest_entry does not notice
> that, it will free spt again in its error path.
indent
>
> Fix this by undoing the mapping of DMA address and freeing sub_spt.
> Besides, leave the handle of spt destroy to caller function instead of
> callee function when error occurs.
>
> Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---
> v5:
> - remove unnecessary switch-case code for there is only one particular case,
> correct the unmap target from parent_spt to sub_spt.add more details in
> commit message. All suggested by Zhenyu
>
> v4:
> - fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
>
> v3:
> - correct spelling mistake and remove unused variable suggested by Greg
>
> v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
>
> v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 18 ++++++++++++++----
> 1 file changed, 14 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index 51e5e8fb505b..4d478a59eb7d 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -1209,10 +1209,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
> ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
> PAGE_SIZE, &dma_addr);
> - if (ret) {
> - ppgtt_invalidate_spt(spt);
> - return ret;
> - }
> + if (ret)
> + goto err;
> sub_se.val64 = se->val64;
>
> /* Copy the PAT field from PDE. */
> @@ -1231,6 +1229,18 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> ops->set_pfn(se, sub_spt->shadow_page.mfn);
> ppgtt_set_shadow_entry(spt, se, index);
> return 0;
> +err:
> + /* Undone the existing mappings of DMA addr. */
We need a verb here for Undo.
> + for_each_present_shadow_entry(sub_spt, &sub_se, sub_index) {
> + gvt_vdbg_mm("invalidate 4K entry\n");
> + ppgtt_invalidate_pte(sub_spt, &sub_se);
> + }
> + /* Release the new allocated spt. */
> + trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
> + sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
> + ppgtt_free_spt(sub_spt);
> + sub_spt = NULL;
Not need to reset local variable that has no use then.
I'll handle these trivial fixes during the merge.
Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>
thanks
> + return ret;
> }
>
> static int split_64KB_gtt_entry(struct intel_vgpu *vgpu,
> --
> 2.25.1
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v5] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-21 2:58 ` Zhenyu Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zhenyu Wang @ 2022-12-21 2:58 UTC (permalink / raw)
To: Zheng Wang
Cc: alex000young, security, airlied, gregkh, intel-gfx,
hackerzheng666, dri-devel, linux-kernel, 1002992920, airlied,
intel-gvt-dev
[-- Attachment #1: Type: text/plain, Size: 2875 bytes --]
On 2022.12.20 17:40:14 +0800, Zheng Wang wrote:
> If intel_gvt_dma_map_guest_page failed, it will call
> ppgtt_invalidate_spt, which will finally free the spt. But the
> caller function ppgtt_populate_spt_by_guest_entry does not notice
> that, it will free spt again in its error path.
indent
>
> Fix this by undoing the mapping of DMA address and freeing sub_spt.
> Besides, leave the handle of spt destroy to caller function instead of
> callee function when error occurs.
>
> Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---
> v5:
> - remove unnecessary switch-case code for there is only one particular case,
> correct the unmap target from parent_spt to sub_spt.add more details in
> commit message. All suggested by Zhenyu
>
> v4:
> - fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
>
> v3:
> - correct spelling mistake and remove unused variable suggested by Greg
>
> v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
>
> v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
> ---
> drivers/gpu/drm/i915/gvt/gtt.c | 18 ++++++++++++++----
> 1 file changed, 14 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
> index 51e5e8fb505b..4d478a59eb7d 100644
> --- a/drivers/gpu/drm/i915/gvt/gtt.c
> +++ b/drivers/gpu/drm/i915/gvt/gtt.c
> @@ -1209,10 +1209,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
> ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
> PAGE_SIZE, &dma_addr);
> - if (ret) {
> - ppgtt_invalidate_spt(spt);
> - return ret;
> - }
> + if (ret)
> + goto err;
> sub_se.val64 = se->val64;
>
> /* Copy the PAT field from PDE. */
> @@ -1231,6 +1229,18 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> ops->set_pfn(se, sub_spt->shadow_page.mfn);
> ppgtt_set_shadow_entry(spt, se, index);
> return 0;
> +err:
> + /* Undone the existing mappings of DMA addr. */
We need a verb here for Undo.
> + for_each_present_shadow_entry(sub_spt, &sub_se, sub_index) {
> + gvt_vdbg_mm("invalidate 4K entry\n");
> + ppgtt_invalidate_pte(sub_spt, &sub_se);
> + }
> + /* Release the new allocated spt. */
> + trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
> + sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
> + ppgtt_free_spt(sub_spt);
> + sub_spt = NULL;
Not need to reset local variable that has no use then.
I'll handle these trivial fixes during the merge.
Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>
thanks
> + return ret;
> }
>
> static int split_64KB_gtt_entry(struct intel_vgpu *vgpu,
> --
> 2.25.1
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v5] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-12-21 2:58 ` Zhenyu Wang
(?)
@ 2022-12-21 5:01 ` Zheng Hacker
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-12-21 5:01 UTC (permalink / raw)
To: Zhenyu Wang
Cc: Zheng Wang, zhi.a.wang, alex000young, security, intel-gvt-dev,
tvrtko.ursulin, airlied, gregkh, intel-gfx, joonas.lahtinen,
dri-devel, linux-kernel, 1002992920, airlied
Zhenyu Wang <zhenyuw@linux.intel.com> 于2022年12月21日周三 11:01写道:
>
> On 2022.12.20 17:40:14 +0800, Zheng Wang wrote:
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally free the spt. But the
> > caller function ppgtt_populate_spt_by_guest_entry does not notice
> > that, it will free spt again in its error path.
>
> indent
Yeap :)
> > + if (ret)
> > + goto err;
> > sub_se.val64 = se->val64;
> >
> > /* Copy the PAT field from PDE. */
> > @@ -1231,6 +1229,18 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> > ops->set_pfn(se, sub_spt->shadow_page.mfn);
> > ppgtt_set_shadow_entry(spt, se, index);
> > return 0;
> > +err:
> > + /* Undone the existing mappings of DMA addr. */
>
> We need a verb here for Undo.
Get it.
>
> > + for_each_present_shadow_entry(sub_spt, &sub_se, sub_index) {
> > + gvt_vdbg_mm("invalidate 4K entry\n");
> > + ppgtt_invalidate_pte(sub_spt, &sub_se);
> > + }
> > + /* Release the new allocated spt. */
> > + trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
> > + sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
> > + ppgtt_free_spt(sub_spt);
> > + sub_spt = NULL;
>
> Not need to reset local variable that has no use then.
>
> I'll handle these trivial fixes during the merge.
>
Very thanks for that.
Best regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [PATCH v5] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-21 5:01 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-12-21 5:01 UTC (permalink / raw)
To: Zhenyu Wang
Cc: alex000young, security, tvrtko.ursulin, airlied, gregkh,
intel-gfx, linux-kernel, dri-devel, 1002992920, Zheng Wang,
intel-gvt-dev, zhi.a.wang
Zhenyu Wang <zhenyuw@linux.intel.com> 于2022年12月21日周三 11:01写道:
>
> On 2022.12.20 17:40:14 +0800, Zheng Wang wrote:
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally free the spt. But the
> > caller function ppgtt_populate_spt_by_guest_entry does not notice
> > that, it will free spt again in its error path.
>
> indent
Yeap :)
> > + if (ret)
> > + goto err;
> > sub_se.val64 = se->val64;
> >
> > /* Copy the PAT field from PDE. */
> > @@ -1231,6 +1229,18 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> > ops->set_pfn(se, sub_spt->shadow_page.mfn);
> > ppgtt_set_shadow_entry(spt, se, index);
> > return 0;
> > +err:
> > + /* Undone the existing mappings of DMA addr. */
>
> We need a verb here for Undo.
Get it.
>
> > + for_each_present_shadow_entry(sub_spt, &sub_se, sub_index) {
> > + gvt_vdbg_mm("invalidate 4K entry\n");
> > + ppgtt_invalidate_pte(sub_spt, &sub_se);
> > + }
> > + /* Release the new allocated spt. */
> > + trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
> > + sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
> > + ppgtt_free_spt(sub_spt);
> > + sub_spt = NULL;
>
> Not need to reset local variable that has no use then.
>
> I'll handle these trivial fixes during the merge.
>
Very thanks for that.
Best regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* Re: [Intel-gfx] [PATCH v5] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-21 5:01 ` Zheng Hacker
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Hacker @ 2022-12-21 5:01 UTC (permalink / raw)
To: Zhenyu Wang
Cc: alex000young, security, airlied, gregkh, intel-gfx, linux-kernel,
dri-devel, 1002992920, airlied, Zheng Wang, intel-gvt-dev
Zhenyu Wang <zhenyuw@linux.intel.com> 于2022年12月21日周三 11:01写道:
>
> On 2022.12.20 17:40:14 +0800, Zheng Wang wrote:
> > If intel_gvt_dma_map_guest_page failed, it will call
> > ppgtt_invalidate_spt, which will finally free the spt. But the
> > caller function ppgtt_populate_spt_by_guest_entry does not notice
> > that, it will free spt again in its error path.
>
> indent
Yeap :)
> > + if (ret)
> > + goto err;
> > sub_se.val64 = se->val64;
> >
> > /* Copy the PAT field from PDE. */
> > @@ -1231,6 +1229,18 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
> > ops->set_pfn(se, sub_spt->shadow_page.mfn);
> > ppgtt_set_shadow_entry(spt, se, index);
> > return 0;
> > +err:
> > + /* Undone the existing mappings of DMA addr. */
>
> We need a verb here for Undo.
Get it.
>
> > + for_each_present_shadow_entry(sub_spt, &sub_se, sub_index) {
> > + gvt_vdbg_mm("invalidate 4K entry\n");
> > + ppgtt_invalidate_pte(sub_spt, &sub_se);
> > + }
> > + /* Release the new allocated spt. */
> > + trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
> > + sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
> > + ppgtt_free_spt(sub_spt);
> > + sub_spt = NULL;
>
> Not need to reset local variable that has no use then.
>
> I'll handle these trivial fixes during the merge.
>
Very thanks for that.
Best regards,
Zheng Wang
^ permalink raw reply [flat|nested] 93+ messages in thread
* [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev8)
2022-09-18 19:24 ` [Intel-gfx] " Zheng Wang
` (7 preceding siblings ...)
(?)
@ 2022-12-22 12:25 ` Patchwork
-1 siblings, 0 replies; 93+ messages in thread
From: Patchwork @ 2022-12-22 12:25 UTC (permalink / raw)
To: Zheng Wang; +Cc: intel-gfx
== Series Details ==
Series: drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev8)
URL : https://patchwork.freedesktop.org/series/108732/
State : warning
== Summary ==
Error: dim checkpatch failed
c4caf92615d0 drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
-:73: CHECK:OPEN_ENDED_LINE: Lines should not end with a '('
#73: FILE: drivers/gpu/drm/i915/gvt/gtt.c:1254:
+ ret1 = ppgtt_invalidate_spt_by_shadow_entry(
-:77: CHECK:PARENTHESIS_ALIGNMENT: Alignment should match open parenthesis
#77: FILE: drivers/gpu/drm/i915/gvt/gtt.c:1258:
+ gvt_vgpu_err("fail: shadow page %p shadow entry 0x%llx type %d\n",
+ spt, e.val64, e.type);
-:82: WARNING:AVOID_BUG: Do not crash the kernel unless it is absolutely unavoidable--use WARN_ON_ONCE() plus recovery code (if feasible) instead of BUG() or variants
#82: FILE: drivers/gpu/drm/i915/gvt/gtt.c:1263:
+ GEM_BUG_ON(1);
-:88: CHECK:PARENTHESIS_ALIGNMENT: Alignment should match open parenthesis
#88: FILE: drivers/gpu/drm/i915/gvt/gtt.c:1269:
+ trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
+ sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
total: 0 errors, 1 warnings, 3 checks, 73 lines checked
^ permalink raw reply [flat|nested] 93+ messages in thread
* [Intel-gfx] ✓ Fi.CI.BAT: success for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev8)
2022-09-18 19:24 ` [Intel-gfx] " Zheng Wang
` (8 preceding siblings ...)
(?)
@ 2022-12-22 12:53 ` Patchwork
-1 siblings, 0 replies; 93+ messages in thread
From: Patchwork @ 2022-12-22 12:53 UTC (permalink / raw)
To: Zheng Wang; +Cc: intel-gfx
[-- Attachment #1: Type: text/plain, Size: 3089 bytes --]
== Series Details ==
Series: drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev8)
URL : https://patchwork.freedesktop.org/series/108732/
State : success
== Summary ==
CI Bug Log - changes from CI_DRM_12521 -> Patchwork_108732v8
====================================================
Summary
-------
**SUCCESS**
No regressions found.
External URL: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/index.html
Participating hosts (46 -> 45)
------------------------------
Missing (1): bat-atsm-1
Known issues
------------
Here are the changes found in Patchwork_108732v8 that come from known issues:
### IGT changes ###
#### Issues hit ####
* igt@i915_selftest@live@gt_heartbeat:
- fi-apl-guc: [PASS][1] -> [DMESG-FAIL][2] ([i915#5334])
[1]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/fi-apl-guc/igt@i915_selftest@live@gt_heartbeat.html
[2]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/fi-apl-guc/igt@i915_selftest@live@gt_heartbeat.html
#### Possible fixes ####
* igt@i915_selftest@live@reset:
- {bat-rpls-2}: [DMESG-FAIL][3] ([i915#4983]) -> [PASS][4]
[3]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/bat-rpls-2/igt@i915_selftest@live@reset.html
[4]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/bat-rpls-2/igt@i915_selftest@live@reset.html
* igt@i915_selftest@live@slpc:
- {bat-rpls-1}: [DMESG-FAIL][5] ([i915#6367]) -> [PASS][6]
[5]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/bat-rpls-1/igt@i915_selftest@live@slpc.html
[6]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/bat-rpls-1/igt@i915_selftest@live@slpc.html
{name}: This element is suppressed. This means it is ignored when computing
the status of the difference (SUCCESS, WARNING, or FAILURE).
[fdo#111827]: https://bugs.freedesktop.org/show_bug.cgi?id=111827
[i915#1845]: https://gitlab.freedesktop.org/drm/intel/issues/1845
[i915#2867]: https://gitlab.freedesktop.org/drm/intel/issues/2867
[i915#4312]: https://gitlab.freedesktop.org/drm/intel/issues/4312
[i915#4983]: https://gitlab.freedesktop.org/drm/intel/issues/4983
[i915#5334]: https://gitlab.freedesktop.org/drm/intel/issues/5334
[i915#6367]: https://gitlab.freedesktop.org/drm/intel/issues/6367
[i915#6687]: https://gitlab.freedesktop.org/drm/intel/issues/6687
[i915#6997]: https://gitlab.freedesktop.org/drm/intel/issues/6997
Build changes
-------------
* Linux: CI_DRM_12521 -> Patchwork_108732v8
CI-20190529: 20190529
CI_DRM_12521: 584eb294ab7b1273c5ef505a33f2a5d89c877fcd @ git://anongit.freedesktop.org/gfx-ci/linux
IGT_7101: bd33b4c060eb6b2e24c5784b2aa817ae5840f84f @ https://gitlab.freedesktop.org/drm/igt-gpu-tools.git
Patchwork_108732v8: 584eb294ab7b1273c5ef505a33f2a5d89c877fcd @ git://anongit.freedesktop.org/gfx-ci/linux
### Linux commits
48dff2719e43 drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
== Logs ==
For more details see: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/index.html
[-- Attachment #2: Type: text/html, Size: 3350 bytes --]
^ permalink raw reply [flat|nested] 93+ messages in thread
* [Intel-gfx] ✗ Fi.CI.IGT: failure for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev8)
2022-09-18 19:24 ` [Intel-gfx] " Zheng Wang
` (9 preceding siblings ...)
(?)
@ 2022-12-22 18:13 ` Patchwork
-1 siblings, 0 replies; 93+ messages in thread
From: Patchwork @ 2022-12-22 18:13 UTC (permalink / raw)
To: Zheng Wang; +Cc: intel-gfx
[-- Attachment #1: Type: text/plain, Size: 22042 bytes --]
== Series Details ==
Series: drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev8)
URL : https://patchwork.freedesktop.org/series/108732/
State : failure
== Summary ==
CI Bug Log - changes from CI_DRM_12521_full -> Patchwork_108732v8_full
====================================================
Summary
-------
**FAILURE**
Serious unknown changes coming with Patchwork_108732v8_full absolutely need to be
verified manually.
If you think the reported changes have nothing to do with the changes
introduced in Patchwork_108732v8_full, please notify your bug team to allow them
to document this new failure mode, which will reduce false positives in CI.
External URL: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/index.html
Participating hosts (13 -> 11)
------------------------------
Additional (1): shard-rkl0
Missing (3): pig-skl-6260u pig-kbl-iris pig-glk-j5005
Possible new issues
-------------------
Here are the unknown changes that may have been introduced in Patchwork_108732v8_full:
### IGT changes ###
#### Possible regressions ####
* igt@i915_selftest@live@migrate:
- shard-glk: [PASS][1] -> [DMESG-FAIL][2]
[1]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-glk4/igt@i915_selftest@live@migrate.html
[2]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-glk1/igt@i915_selftest@live@migrate.html
* igt@kms_cursor_legacy@2x-long-cursor-vs-flip-atomic:
- shard-glk: [PASS][3] -> [FAIL][4] +1 similar issue
[3]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-glk1/igt@kms_cursor_legacy@2x-long-cursor-vs-flip-atomic.html
[4]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-glk6/igt@kms_cursor_legacy@2x-long-cursor-vs-flip-atomic.html
#### Suppressed ####
The following results come from untrusted machines, tests, or statuses.
They do not affect the overall result.
* {igt@gem_ccs@block-multicopy-compressed}:
- {shard-rkl}: [SKIP][5] ([i915#5325]) -> [SKIP][6]
[5]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-rkl-4/igt@gem_ccs@block-multicopy-compressed.html
[6]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-rkl-5/igt@gem_ccs@block-multicopy-compressed.html
Known issues
------------
Here are the changes found in Patchwork_108732v8_full that come from known issues:
### IGT changes ###
#### Issues hit ####
* igt@kms_cursor_legacy@flip-vs-cursor@atomic-transitions-varying-size:
- shard-glk: [PASS][7] -> [FAIL][8] ([i915#2346]) +1 similar issue
[7]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-glk5/igt@kms_cursor_legacy@flip-vs-cursor@atomic-transitions-varying-size.html
[8]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-glk4/igt@kms_cursor_legacy@flip-vs-cursor@atomic-transitions-varying-size.html
* igt@kms_flip@flip-vs-expired-vblank-interruptible@c-hdmi-a2:
- shard-glk: [PASS][9] -> [FAIL][10] ([i915#79])
[9]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-glk5/igt@kms_flip@flip-vs-expired-vblank-interruptible@c-hdmi-a2.html
[10]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-glk4/igt@kms_flip@flip-vs-expired-vblank-interruptible@c-hdmi-a2.html
#### Possible fixes ####
* igt@fbdev@unaligned-write:
- {shard-tglu}: [SKIP][11] ([i915#2582]) -> [PASS][12]
[11]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-tglu-6/igt@fbdev@unaligned-write.html
[12]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-tglu-7/igt@fbdev@unaligned-write.html
* igt@gem_ctx_persistence@legacy-engines-hang@blt:
- {shard-rkl}: [SKIP][13] ([i915#6252]) -> [PASS][14]
[13]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-rkl-5/igt@gem_ctx_persistence@legacy-engines-hang@blt.html
[14]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-rkl-1/igt@gem_ctx_persistence@legacy-engines-hang@blt.html
* igt@gem_exec_fair@basic-pace@rcs0:
- shard-glk: [FAIL][15] ([i915#2842]) -> [PASS][16]
[15]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-glk3/igt@gem_exec_fair@basic-pace@rcs0.html
[16]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-glk8/igt@gem_exec_fair@basic-pace@rcs0.html
* igt@gem_exec_reloc@basic-wc-read-noreloc:
- {shard-rkl}: [SKIP][17] ([i915#3281]) -> [PASS][18] +13 similar issues
[17]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-rkl-6/igt@gem_exec_reloc@basic-wc-read-noreloc.html
[18]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-rkl-5/igt@gem_exec_reloc@basic-wc-read-noreloc.html
* igt@gem_partial_pwrite_pread@writes-after-reads-uncached:
- {shard-rkl}: [SKIP][19] ([i915#3282]) -> [PASS][20] +4 similar issues
[19]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-rkl-6/igt@gem_partial_pwrite_pread@writes-after-reads-uncached.html
[20]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-rkl-5/igt@gem_partial_pwrite_pread@writes-after-reads-uncached.html
* igt@gen9_exec_parse@allowed-all:
- shard-glk: [DMESG-WARN][21] ([i915#5566] / [i915#716]) -> [PASS][22]
[21]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-glk6/igt@gen9_exec_parse@allowed-all.html
[22]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-glk8/igt@gen9_exec_parse@allowed-all.html
* igt@gen9_exec_parse@batch-zero-length:
- {shard-rkl}: [SKIP][23] ([i915#2527]) -> [PASS][24] +1 similar issue
[23]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-rkl-4/igt@gen9_exec_parse@batch-zero-length.html
[24]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-rkl-5/igt@gen9_exec_parse@batch-zero-length.html
* igt@i915_pm_dc@dc6-psr:
- {shard-rkl}: [SKIP][25] ([i915#658]) -> [PASS][26]
[25]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-rkl-4/igt@i915_pm_dc@dc6-psr.html
[26]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-rkl-6/igt@i915_pm_dc@dc6-psr.html
* igt@i915_pm_rpm@modeset-lpsp:
- {shard-dg1}: [SKIP][27] ([i915#1397]) -> [PASS][28]
[27]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-dg1-18/igt@i915_pm_rpm@modeset-lpsp.html
[28]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-dg1-14/igt@i915_pm_rpm@modeset-lpsp.html
* igt@i915_pm_rpm@modeset-lpsp-stress:
- {shard-rkl}: [SKIP][29] ([i915#1397]) -> [PASS][30]
[29]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-rkl-2/igt@i915_pm_rpm@modeset-lpsp-stress.html
[30]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-rkl-6/igt@i915_pm_rpm@modeset-lpsp-stress.html
* igt@i915_pm_rpm@pm-tiling:
- {shard-tglu}: [SKIP][31] ([i915#3547]) -> [PASS][32]
[31]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-tglu-6/igt@i915_pm_rpm@pm-tiling.html
[32]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-tglu-7/igt@i915_pm_rpm@pm-tiling.html
* igt@kms_async_flips@alternate-sync-async-flip@pipe-a-hdmi-a-1:
- shard-glk: [FAIL][33] ([i915#2521]) -> [PASS][34]
[33]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-glk9/igt@kms_async_flips@alternate-sync-async-flip@pipe-a-hdmi-a-1.html
[34]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-glk9/igt@kms_async_flips@alternate-sync-async-flip@pipe-a-hdmi-a-1.html
* igt@kms_big_fb@y-tiled-max-hw-stride-32bpp-rotate-0-hflip-async-flip:
- {shard-rkl}: [SKIP][35] ([i915#1845] / [i915#4098]) -> [PASS][36] +17 similar issues
[35]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-rkl-4/igt@kms_big_fb@y-tiled-max-hw-stride-32bpp-rotate-0-hflip-async-flip.html
[36]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-rkl-6/igt@kms_big_fb@y-tiled-max-hw-stride-32bpp-rotate-0-hflip-async-flip.html
* igt@kms_ccs@pipe-d-bad-pixel-format-y_tiled_gen12_rc_ccs:
- {shard-tglu}: [SKIP][37] ([i915#7651]) -> [PASS][38] +9 similar issues
[37]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-tglu-6/igt@kms_ccs@pipe-d-bad-pixel-format-y_tiled_gen12_rc_ccs.html
[38]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-tglu-7/igt@kms_ccs@pipe-d-bad-pixel-format-y_tiled_gen12_rc_ccs.html
* igt@kms_color@legacy-gamma@pipe-d-hdmi-a-4:
- {shard-dg1}: [FAIL][39] -> [PASS][40]
[39]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-dg1-15/igt@kms_color@legacy-gamma@pipe-d-hdmi-a-4.html
[40]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-dg1-15/igt@kms_color@legacy-gamma@pipe-d-hdmi-a-4.html
* igt@kms_fbcon_fbt@psr-suspend:
- {shard-rkl}: [SKIP][41] ([i915#3955]) -> [PASS][42]
[41]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-rkl-4/igt@kms_fbcon_fbt@psr-suspend.html
[42]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-rkl-6/igt@kms_fbcon_fbt@psr-suspend.html
* igt@kms_frontbuffer_tracking@fbc-rgb565-draw-pwrite:
- {shard-tglu}: [SKIP][43] ([i915#1849]) -> [PASS][44] +1 similar issue
[43]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-tglu-6/igt@kms_frontbuffer_tracking@fbc-rgb565-draw-pwrite.html
[44]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-tglu-7/igt@kms_frontbuffer_tracking@fbc-rgb565-draw-pwrite.html
* igt@kms_frontbuffer_tracking@psr-1p-offscren-pri-shrfb-draw-blt:
- {shard-rkl}: [SKIP][45] ([i915#1849] / [i915#4098]) -> [PASS][46] +16 similar issues
[45]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-rkl-4/igt@kms_frontbuffer_tracking@psr-1p-offscren-pri-shrfb-draw-blt.html
[46]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-rkl-6/igt@kms_frontbuffer_tracking@psr-1p-offscren-pri-shrfb-draw-blt.html
* igt@kms_plane@plane-position-covered@pipe-a-planes:
- {shard-rkl}: [SKIP][47] ([i915#1849] / [i915#3558]) -> [PASS][48] +1 similar issue
[47]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-rkl-2/igt@kms_plane@plane-position-covered@pipe-a-planes.html
[48]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-rkl-6/igt@kms_plane@plane-position-covered@pipe-a-planes.html
* igt@kms_psr@primary_blt:
- {shard-rkl}: [SKIP][49] ([i915#1072]) -> [PASS][50]
[49]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-rkl-4/igt@kms_psr@primary_blt.html
[50]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-rkl-6/igt@kms_psr@primary_blt.html
* igt@kms_universal_plane@disable-primary-vs-flip-pipe-d:
- {shard-tglu}: [SKIP][51] ([fdo#109274]) -> [PASS][52] +2 similar issues
[51]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-tglu-6/igt@kms_universal_plane@disable-primary-vs-flip-pipe-d.html
[52]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-tglu-7/igt@kms_universal_plane@disable-primary-vs-flip-pipe-d.html
* igt@kms_vblank@pipe-c-wait-idle-hang:
- {shard-tglu}: [SKIP][53] ([i915#1845] / [i915#7651]) -> [PASS][54] +2 similar issues
[53]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-tglu-6/igt@kms_vblank@pipe-c-wait-idle-hang.html
[54]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-tglu-7/igt@kms_vblank@pipe-c-wait-idle-hang.html
* igt@perf_pmu@idle@rcs0:
- {shard-dg1}: [FAIL][55] ([i915#4349]) -> [PASS][56]
[55]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12521/shard-dg1-17/igt@perf_pmu@idle@rcs0.html
[56]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/shard-dg1-17/igt@perf_pmu@idle@rcs0.html
{name}: This element is suppressed. This means it is ignored when computing
the status of the difference (SUCCESS, WARNING, or FAILURE).
[fdo#103375]: https://bugs.freedesktop.org/show_bug.cgi?id=103375
[fdo#109274]: https://bugs.freedesktop.org/show_bug.cgi?id=109274
[fdo#109279]: https://bugs.freedesktop.org/show_bug.cgi?id=109279
[fdo#109280]: https://bugs.freedesktop.org/show_bug.cgi?id=109280
[fdo#109283]: https://bugs.freedesktop.org/show_bug.cgi?id=109283
[fdo#109289]: https://bugs.freedesktop.org/show_bug.cgi?id=109289
[fdo#109291]: https://bugs.freedesktop.org/show_bug.cgi?id=109291
[fdo#109295]: https://bugs.freedesktop.org/show_bug.cgi?id=109295
[fdo#109302]: https://bugs.freedesktop.org/show_bug.cgi?id=109302
[fdo#109312]: https://bugs.freedesktop.org/show_bug.cgi?id=109312
[fdo#109315]: https://bugs.freedesktop.org/show_bug.cgi?id=109315
[fdo#109506]: https://bugs.freedesktop.org/show_bug.cgi?id=109506
[fdo#109642]: https://bugs.freedesktop.org/show_bug.cgi?id=109642
[fdo#110189]: https://bugs.freedesktop.org/show_bug.cgi?id=110189
[fdo#110723]: https://bugs.freedesktop.org/show_bug.cgi?id=110723
[fdo#111068]: https://bugs.freedesktop.org/show_bug.cgi?id=111068
[fdo#111614]: https://bugs.freedesktop.org/show_bug.cgi?id=111614
[fdo#111615]: https://bugs.freedesktop.org/show_bug.cgi?id=111615
[fdo#111644]: https://bugs.freedesktop.org/show_bug.cgi?id=111644
[fdo#111656]: https://bugs.freedesktop.org/show_bug.cgi?id=111656
[fdo#111825]: https://bugs.freedesktop.org/show_bug.cgi?id=111825
[fdo#111827]: https://bugs.freedesktop.org/show_bug.cgi?id=111827
[fdo#112054]: https://bugs.freedesktop.org/show_bug.cgi?id=112054
[fdo#112283]: https://bugs.freedesktop.org/show_bug.cgi?id=112283
[i915#1072]: https://gitlab.freedesktop.org/drm/intel/issues/1072
[i915#132]: https://gitlab.freedesktop.org/drm/intel/issues/132
[i915#1397]: https://gitlab.freedesktop.org/drm/intel/issues/1397
[i915#1769]: https://gitlab.freedesktop.org/drm/intel/issues/1769
[i915#1825]: https://gitlab.freedesktop.org/drm/intel/issues/1825
[i915#1839]: https://gitlab.freedesktop.org/drm/intel/issues/1839
[i915#1845]: https://gitlab.freedesktop.org/drm/intel/issues/1845
[i915#1849]: https://gitlab.freedesktop.org/drm/intel/issues/1849
[i915#2346]: https://gitlab.freedesktop.org/drm/intel/issues/2346
[i915#2437]: https://gitlab.freedesktop.org/drm/intel/issues/2437
[i915#2521]: https://gitlab.freedesktop.org/drm/intel/issues/2521
[i915#2527]: https://gitlab.freedesktop.org/drm/intel/issues/2527
[i915#2532]: https://gitlab.freedesktop.org/drm/intel/issues/2532
[i915#2575]: https://gitlab.freedesktop.org/drm/intel/issues/2575
[i915#2582]: https://gitlab.freedesktop.org/drm/intel/issues/2582
[i915#2587]: https://gitlab.freedesktop.org/drm/intel/issues/2587
[i915#2658]: https://gitlab.freedesktop.org/drm/intel/issues/2658
[i915#2672]: https://gitlab.freedesktop.org/drm/intel/issues/2672
[i915#2681]: https://gitlab.freedesktop.org/drm/intel/issues/2681
[i915#2705]: https://gitlab.freedesktop.org/drm/intel/issues/2705
[i915#280]: https://gitlab.freedesktop.org/drm/intel/issues/280
[i915#2842]: https://gitlab.freedesktop.org/drm/intel/issues/2842
[i915#2856]: https://gitlab.freedesktop.org/drm/intel/issues/2856
[i915#2920]: https://gitlab.freedesktop.org/drm/intel/issues/2920
[i915#2994]: https://gitlab.freedesktop.org/drm/intel/issues/2994
[i915#3002]: https://gitlab.freedesktop.org/drm/intel/issues/3002
[i915#3116]: https://gitlab.freedesktop.org/drm/intel/issues/3116
[i915#315]: https://gitlab.freedesktop.org/drm/intel/issues/315
[i915#3281]: https://gitlab.freedesktop.org/drm/intel/issues/3281
[i915#3282]: https://gitlab.freedesktop.org/drm/intel/issues/3282
[i915#3291]: https://gitlab.freedesktop.org/drm/intel/issues/3291
[i915#3297]: https://gitlab.freedesktop.org/drm/intel/issues/3297
[i915#3299]: https://gitlab.freedesktop.org/drm/intel/issues/3299
[i915#3301]: https://gitlab.freedesktop.org/drm/intel/issues/3301
[i915#3318]: https://gitlab.freedesktop.org/drm/intel/issues/3318
[i915#3359]: https://gitlab.freedesktop.org/drm/intel/issues/3359
[i915#3361]: https://gitlab.freedesktop.org/drm/intel/issues/3361
[i915#3458]: https://gitlab.freedesktop.org/drm/intel/issues/3458
[i915#3469]: https://gitlab.freedesktop.org/drm/intel/issues/3469
[i915#3539]: https://gitlab.freedesktop.org/drm/intel/issues/3539
[i915#3546]: https://gitlab.freedesktop.org/drm/intel/issues/3546
[i915#3547]: https://gitlab.freedesktop.org/drm/intel/issues/3547
[i915#3555]: https://gitlab.freedesktop.org/drm/intel/issues/3555
[i915#3558]: https://gitlab.freedesktop.org/drm/intel/issues/3558
[i915#3637]: https://gitlab.freedesktop.org/drm/intel/issues/3637
[i915#3689]: https://gitlab.freedesktop.org/drm/intel/issues/3689
[i915#3708]: https://gitlab.freedesktop.org/drm/intel/issues/3708
[i915#3734]: https://gitlab.freedesktop.org/drm/intel/issues/3734
[i915#3742]: https://gitlab.freedesktop.org/drm/intel/issues/3742
[i915#3804]: https://gitlab.freedesktop.org/drm/intel/issues/3804
[i915#3810]: https://gitlab.freedesktop.org/drm/intel/issues/3810
[i915#3840]: https://gitlab.freedesktop.org/drm/intel/issues/3840
[i915#3886]: https://gitlab.freedesktop.org/drm/intel/issues/3886
[i915#3955]: https://gitlab.freedesktop.org/drm/intel/issues/3955
[i915#3966]: https://gitlab.freedesktop.org/drm/intel/issues/3966
[i915#3989]: https://gitlab.freedesktop.org/drm/intel/issues/3989
[i915#4070]: https://gitlab.freedesktop.org/drm/intel/issues/4070
[i915#4077]: https://gitlab.freedesktop.org/drm/intel/issues/4077
[i915#4078]: https://gitlab.freedesktop.org/drm/intel/issues/4078
[i915#4083]: https://gitlab.freedesktop.org/drm/intel/issues/4083
[i915#4098]: https://gitlab.freedesktop.org/drm/intel/issues/4098
[i915#4212]: https://gitlab.freedesktop.org/drm/intel/issues/4212
[i915#4270]: https://gitlab.freedesktop.org/drm/intel/issues/4270
[i915#4312]: https://gitlab.freedesktop.org/drm/intel/issues/4312
[i915#4349]: https://gitlab.freedesktop.org/drm/intel/issues/4349
[i915#4387]: https://gitlab.freedesktop.org/drm/intel/issues/4387
[i915#4538]: https://gitlab.freedesktop.org/drm/intel/issues/4538
[i915#4613]: https://gitlab.freedesktop.org/drm/intel/issues/4613
[i915#4833]: https://gitlab.freedesktop.org/drm/intel/issues/4833
[i915#4852]: https://gitlab.freedesktop.org/drm/intel/issues/4852
[i915#4879]: https://gitlab.freedesktop.org/drm/intel/issues/4879
[i915#4991]: https://gitlab.freedesktop.org/drm/intel/issues/4991
[i915#5030]: https://gitlab.freedesktop.org/drm/intel/issues/5030
[i915#5122]: https://gitlab.freedesktop.org/drm/intel/issues/5122
[i915#5176]: https://gitlab.freedesktop.org/drm/intel/issues/5176
[i915#5235]: https://gitlab.freedesktop.org/drm/intel/issues/5235
[i915#5286]: https://gitlab.freedesktop.org/drm/intel/issues/5286
[i915#5288]: https://gitlab.freedesktop.org/drm/intel/issues/5288
[i915#5325]: https://gitlab.freedesktop.org/drm/intel/issues/5325
[i915#5327]: https://gitlab.freedesktop.org/drm/intel/issues/5327
[i915#533]: https://gitlab.freedesktop.org/drm/intel/issues/533
[i915#5439]: https://gitlab.freedesktop.org/drm/intel/issues/5439
[i915#5563]: https://gitlab.freedesktop.org/drm/intel/issues/5563
[i915#5566]: https://gitlab.freedesktop.org/drm/intel/issues/5566
[i915#5784]: https://gitlab.freedesktop.org/drm/intel/issues/5784
[i915#6095]: https://gitlab.freedesktop.org/drm/intel/issues/6095
[i915#6227]: https://gitlab.freedesktop.org/drm/intel/issues/6227
[i915#6247]: https://gitlab.freedesktop.org/drm/intel/issues/6247
[i915#6248]: https://gitlab.freedesktop.org/drm/intel/issues/6248
[i915#6252]: https://gitlab.freedesktop.org/drm/intel/issues/6252
[i915#6259]: https://gitlab.freedesktop.org/drm/intel/issues/6259
[i915#6334]: https://gitlab.freedesktop.org/drm/intel/issues/6334
[i915#6335]: https://gitlab.freedesktop.org/drm/intel/issues/6335
[i915#6412]: https://gitlab.freedesktop.org/drm/intel/issues/6412
[i915#6433]: https://gitlab.freedesktop.org/drm/intel/issues/6433
[i915#6497]: https://gitlab.freedesktop.org/drm/intel/issues/6497
[i915#6524]: https://gitlab.freedesktop.org/drm/intel/issues/6524
[i915#658]: https://gitlab.freedesktop.org/drm/intel/issues/658
[i915#6768]: https://gitlab.freedesktop.org/drm/intel/issues/6768
[i915#6944]: https://gitlab.freedesktop.org/drm/intel/issues/6944
[i915#6946]: https://gitlab.freedesktop.org/drm/intel/issues/6946
[i915#6953]: https://gitlab.freedesktop.org/drm/intel/issues/6953
[i915#7116]: https://gitlab.freedesktop.org/drm/intel/issues/7116
[i915#7118]: https://gitlab.freedesktop.org/drm/intel/issues/7118
[i915#716]: https://gitlab.freedesktop.org/drm/intel/issues/716
[i915#7456]: https://gitlab.freedesktop.org/drm/intel/issues/7456
[i915#7561]: https://gitlab.freedesktop.org/drm/intel/issues/7561
[i915#7651]: https://gitlab.freedesktop.org/drm/intel/issues/7651
[i915#7697]: https://gitlab.freedesktop.org/drm/intel/issues/7697
[i915#7701]: https://gitlab.freedesktop.org/drm/intel/issues/7701
[i915#7707]: https://gitlab.freedesktop.org/drm/intel/issues/7707
[i915#7711]: https://gitlab.freedesktop.org/drm/intel/issues/7711
[i915#79]: https://gitlab.freedesktop.org/drm/intel/issues/79
Build changes
-------------
* Linux: CI_DRM_12521 -> Patchwork_108732v8
* Piglit: piglit_4509 -> None
CI-20190529: 20190529
CI_DRM_12521: 584eb294ab7b1273c5ef505a33f2a5d89c877fcd @ git://anongit.freedesktop.org/gfx-ci/linux
IGT_7101: bd33b4c060eb6b2e24c5784b2aa817ae5840f84f @ https://gitlab.freedesktop.org/drm/igt-gpu-tools.git
Patchwork_108732v8: 584eb294ab7b1273c5ef505a33f2a5d89c877fcd @ git://anongit.freedesktop.org/gfx-ci/linux
piglit_4509: fdc5a4ca11124ab8413c7988896eec4c97336694 @ git://anongit.freedesktop.org/piglit
== Logs ==
For more details see: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v8/index.html
[-- Attachment #2: Type: text/html, Size: 16116 bytes --]
^ permalink raw reply [flat|nested] 93+ messages in thread
* [PATCH v6] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
2022-12-19 8:22 ` Wang, Zhi A
(?)
@ 2022-12-29 16:56 ` Zheng Wang
-1 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-29 16:56 UTC (permalink / raw)
To: zhi.a.wang
Cc: 1002992920, airlied, airlied, alex000young, dri-devel, gregkh,
hackerzheng666, intel-gfx, intel-gvt-dev, joonas.lahtinen,
linux-kernel, security, tvrtko.ursulin, zhenyuw, zyytlz.wz
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt.
But the caller function ppgtt_populate_spt_by_guest_entry
does not notice that, it will free spt again in its error
path.
Fix this by canceling the mapping of DMA address and freeing sub_spt.
Besides, leave the handle of spt destroy to caller function instead
of callee function when error occurs.
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>
---
v6:
- remove the code for setting unused variable to NULL and fix type suggested
by Zhenyu
v5:
- remove unnecessary switch-case code for there is only one particular case,
correct the unmap target from parent_spt to sub_spt.add more details in
commit message. All suggested by Zhenyu
v4:
- fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
v3:
- correct spelling mistake and remove unused variable suggested by Greg
v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index 51e5e8fb505b..7379e8d98417 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -1209,10 +1209,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
- if (ret) {
- ppgtt_invalidate_spt(spt);
- return ret;
- }
+ if (ret)
+ goto err;
sub_se.val64 = se->val64;
/* Copy the PAT field from PDE. */
@@ -1231,6 +1229,17 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
ops->set_pfn(se, sub_spt->shadow_page.mfn);
ppgtt_set_shadow_entry(spt, se, index);
return 0;
+err:
+ /* Cancel the existing addess mappings of DMA addr. */
+ for_each_present_shadow_entry(sub_spt, &sub_se, sub_index) {
+ gvt_vdbg_mm("invalidate 4K entry\n");
+ ppgtt_invalidate_pte(sub_spt, &sub_se);
+ }
+ /* Release the new allocated spt. */
+ trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
+ sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
+ ppgtt_free_spt(sub_spt);
+ return ret;
}
static int split_64KB_gtt_entry(struct intel_vgpu *vgpu,
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [PATCH v6] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-29 16:56 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-29 16:56 UTC (permalink / raw)
To: zhi.a.wang
Cc: alex000young, security, intel-gvt-dev, tvrtko.ursulin, airlied,
gregkh, intel-gfx, hackerzheng666, dri-devel, linux-kernel,
1002992920, zyytlz.wz
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt.
But the caller function ppgtt_populate_spt_by_guest_entry
does not notice that, it will free spt again in its error
path.
Fix this by canceling the mapping of DMA address and freeing sub_spt.
Besides, leave the handle of spt destroy to caller function instead
of callee function when error occurs.
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>
---
v6:
- remove the code for setting unused variable to NULL and fix type suggested
by Zhenyu
v5:
- remove unnecessary switch-case code for there is only one particular case,
correct the unmap target from parent_spt to sub_spt.add more details in
commit message. All suggested by Zhenyu
v4:
- fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
v3:
- correct spelling mistake and remove unused variable suggested by Greg
v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index 51e5e8fb505b..7379e8d98417 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -1209,10 +1209,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
- if (ret) {
- ppgtt_invalidate_spt(spt);
- return ret;
- }
+ if (ret)
+ goto err;
sub_se.val64 = se->val64;
/* Copy the PAT field from PDE. */
@@ -1231,6 +1229,17 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
ops->set_pfn(se, sub_spt->shadow_page.mfn);
ppgtt_set_shadow_entry(spt, se, index);
return 0;
+err:
+ /* Cancel the existing addess mappings of DMA addr. */
+ for_each_present_shadow_entry(sub_spt, &sub_se, sub_index) {
+ gvt_vdbg_mm("invalidate 4K entry\n");
+ ppgtt_invalidate_pte(sub_spt, &sub_se);
+ }
+ /* Release the new allocated spt. */
+ trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
+ sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
+ ppgtt_free_spt(sub_spt);
+ return ret;
}
static int split_64KB_gtt_entry(struct intel_vgpu *vgpu,
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [Intel-gfx] [PATCH v6] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
@ 2022-12-29 16:56 ` Zheng Wang
0 siblings, 0 replies; 93+ messages in thread
From: Zheng Wang @ 2022-12-29 16:56 UTC (permalink / raw)
To: zhi.a.wang
Cc: alex000young, security, intel-gvt-dev, airlied, gregkh,
intel-gfx, hackerzheng666, dri-devel, linux-kernel, 1002992920,
zyytlz.wz, airlied
If intel_gvt_dma_map_guest_page failed, it will call
ppgtt_invalidate_spt, which will finally free the spt.
But the caller function ppgtt_populate_spt_by_guest_entry
does not notice that, it will free spt again in its error
path.
Fix this by canceling the mapping of DMA address and freeing sub_spt.
Besides, leave the handle of spt destroy to caller function instead
of callee function when error occurs.
Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>
---
v6:
- remove the code for setting unused variable to NULL and fix type suggested
by Zhenyu
v5:
- remove unnecessary switch-case code for there is only one particular case,
correct the unmap target from parent_spt to sub_spt.add more details in
commit message. All suggested by Zhenyu
v4:
- fix by undo the mapping of DMA address and free sub_spt suggested by Zhi
v3:
- correct spelling mistake and remove unused variable suggested by Greg
v2: https://lore.kernel.org/all/20221006165845.1735393-1-zyytlz.wz@163.com/
v1: https://lore.kernel.org/all/20220928033340.1063949-1-zyytlz.wz@163.com/
---
drivers/gpu/drm/i915/gvt/gtt.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index 51e5e8fb505b..7379e8d98417 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -1209,10 +1209,8 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
for_each_shadow_entry(sub_spt, &sub_se, sub_index) {
ret = intel_gvt_dma_map_guest_page(vgpu, start_gfn + sub_index,
PAGE_SIZE, &dma_addr);
- if (ret) {
- ppgtt_invalidate_spt(spt);
- return ret;
- }
+ if (ret)
+ goto err;
sub_se.val64 = se->val64;
/* Copy the PAT field from PDE. */
@@ -1231,6 +1229,17 @@ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
ops->set_pfn(se, sub_spt->shadow_page.mfn);
ppgtt_set_shadow_entry(spt, se, index);
return 0;
+err:
+ /* Cancel the existing addess mappings of DMA addr. */
+ for_each_present_shadow_entry(sub_spt, &sub_se, sub_index) {
+ gvt_vdbg_mm("invalidate 4K entry\n");
+ ppgtt_invalidate_pte(sub_spt, &sub_se);
+ }
+ /* Release the new allocated spt. */
+ trace_spt_change(sub_spt->vgpu->id, "release", sub_spt,
+ sub_spt->guest_page.gfn, sub_spt->shadow_page.type);
+ ppgtt_free_spt(sub_spt);
+ return ret;
}
static int split_64KB_gtt_entry(struct intel_vgpu *vgpu,
--
2.25.1
^ permalink raw reply related [flat|nested] 93+ messages in thread
* [Intel-gfx] ✗ Fi.CI.BAT: failure for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev9)
2022-09-18 19:24 ` [Intel-gfx] " Zheng Wang
` (10 preceding siblings ...)
(?)
@ 2022-12-29 17:57 ` Patchwork
-1 siblings, 0 replies; 93+ messages in thread
From: Patchwork @ 2022-12-29 17:57 UTC (permalink / raw)
To: Zheng Wang; +Cc: intel-gfx
[-- Attachment #1: Type: text/plain, Size: 8336 bytes --]
== Series Details ==
Series: drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev9)
URL : https://patchwork.freedesktop.org/series/108732/
State : failure
== Summary ==
CI Bug Log - changes from CI_DRM_12528 -> Patchwork_108732v9
====================================================
Summary
-------
**FAILURE**
Serious unknown changes coming with Patchwork_108732v9 absolutely need to be
verified manually.
If you think the reported changes have nothing to do with the changes
introduced in Patchwork_108732v9, please notify your bug team to allow them
to document this new failure mode, which will reduce false positives in CI.
External URL: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v9/index.html
Participating hosts (40 -> 39)
------------------------------
Additional (3): fi-bsw-kefka bat-dg2-9 bat-atsm-1
Missing (4): bat-rpls-2 bat-dg2-11 fi-icl-u2 fi-skl-6600u
Possible new issues
-------------------
Here are the unknown changes that may have been introduced in Patchwork_108732v9:
### CI changes ###
#### Possible regressions ####
* boot:
- fi-kbl-8809g: [PASS][1] -> [FAIL][2]
[1]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12528/fi-kbl-8809g/boot.html
[2]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v9/fi-kbl-8809g/boot.html
Known issues
------------
Here are the changes found in Patchwork_108732v9 that come from known issues:
### IGT changes ###
#### Issues hit ####
* igt@gem_lmem_swapping@verify-random:
- bat-adlp-4: NOTRUN -> [SKIP][3] ([i915#4613]) +3 similar issues
[3]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v9/bat-adlp-4/igt@gem_lmem_swapping@verify-random.html
* igt@i915_pm_rps@basic-api:
- bat-adlp-4: NOTRUN -> [SKIP][4] ([i915#6621])
[4]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v9/bat-adlp-4/igt@i915_pm_rps@basic-api.html
* igt@kms_chamelium@common-hpd-after-suspend:
- bat-adlp-4: NOTRUN -> [SKIP][5] ([fdo#111827])
[5]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v9/bat-adlp-4/igt@kms_chamelium@common-hpd-after-suspend.html
* igt@kms_chamelium@dp-edid-read:
- fi-bsw-kefka: NOTRUN -> [SKIP][6] ([fdo#109271] / [fdo#111827]) +8 similar issues
[6]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v9/fi-bsw-kefka/igt@kms_chamelium@dp-edid-read.html
* igt@kms_cursor_legacy@basic-busy-flip-before-cursor@atomic-transitions:
- fi-bsw-kefka: NOTRUN -> [FAIL][7] ([i915#6298])
[7]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v9/fi-bsw-kefka/igt@kms_cursor_legacy@basic-busy-flip-before-cursor@atomic-transitions.html
* igt@kms_setmode@basic-clone-single-crtc:
- fi-snb-2600: NOTRUN -> [SKIP][8] ([fdo#109271])
[8]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v9/fi-snb-2600/igt@kms_setmode@basic-clone-single-crtc.html
* igt@prime_vgem@basic-fence-flip:
- fi-bsw-kefka: NOTRUN -> [SKIP][9] ([fdo#109271]) +17 similar issues
[9]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v9/fi-bsw-kefka/igt@prime_vgem@basic-fence-flip.html
* igt@prime_vgem@basic-userptr:
- bat-adlp-4: NOTRUN -> [SKIP][10] ([fdo#109295] / [i915#3301] / [i915#3708])
[10]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v9/bat-adlp-4/igt@prime_vgem@basic-userptr.html
* igt@prime_vgem@basic-write:
- bat-adlp-4: NOTRUN -> [SKIP][11] ([fdo#109295] / [i915#3291] / [i915#3708]) +2 similar issues
[11]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v9/bat-adlp-4/igt@prime_vgem@basic-write.html
#### Possible fixes ####
* igt@i915_pm_rpm@basic-rte:
- bat-adlp-4: [DMESG-WARN][12] ([i915#7077]) -> [PASS][13]
[12]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12528/bat-adlp-4/igt@i915_pm_rpm@basic-rte.html
[13]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v9/bat-adlp-4/igt@i915_pm_rpm@basic-rte.html
* igt@i915_selftest@live@gt_heartbeat:
- fi-cfl-8109u: [DMESG-FAIL][14] ([i915#5334]) -> [PASS][15]
[14]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12528/fi-cfl-8109u/igt@i915_selftest@live@gt_heartbeat.html
[15]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v9/fi-cfl-8109u/igt@i915_selftest@live@gt_heartbeat.html
* igt@kms_pipe_crc_basic@suspend-read-crc@pipe-c-dp-1:
- {bat-adlp-9}: [DMESG-WARN][16] ([i915#2867]) -> [PASS][17]
[16]: https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_12528/bat-adlp-9/igt@kms_pipe_crc_basic@suspend-read-crc@pipe-c-dp-1.html
[17]: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v9/bat-adlp-9/igt@kms_pipe_crc_basic@suspend-read-crc@pipe-c-dp-1.html
{name}: This element is suppressed. This means it is ignored when computing
the status of the difference (SUCCESS, WARNING, or FAILURE).
[fdo#109271]: https://bugs.freedesktop.org/show_bug.cgi?id=109271
[fdo#109285]: https://bugs.freedesktop.org/show_bug.cgi?id=109285
[fdo#109295]: https://bugs.freedesktop.org/show_bug.cgi?id=109295
[fdo#111827]: https://bugs.freedesktop.org/show_bug.cgi?id=111827
[i915#1072]: https://gitlab.freedesktop.org/drm/intel/issues/1072
[i915#1836]: https://gitlab.freedesktop.org/drm/intel/issues/1836
[i915#2582]: https://gitlab.freedesktop.org/drm/intel/issues/2582
[i915#2867]: https://gitlab.freedesktop.org/drm/intel/issues/2867
[i915#3291]: https://gitlab.freedesktop.org/drm/intel/issues/3291
[i915#3301]: https://gitlab.freedesktop.org/drm/intel/issues/3301
[i915#3546]: https://gitlab.freedesktop.org/drm/intel/issues/3546
[i915#3555]: https://gitlab.freedesktop.org/drm/intel/issues/3555
[i915#3708]: https://gitlab.freedesktop.org/drm/intel/issues/3708
[i915#4077]: https://gitlab.freedesktop.org/drm/intel/issues/4077
[i915#4079]: https://gitlab.freedesktop.org/drm/intel/issues/4079
[i915#4083]: https://gitlab.freedesktop.org/drm/intel/issues/4083
[i915#4103]: https://gitlab.freedesktop.org/drm/intel/issues/4103
[i915#4212]: https://gitlab.freedesktop.org/drm/intel/issues/4212
[i915#4213]: https://gitlab.freedesktop.org/drm/intel/issues/4213
[i915#4215]: https://gitlab.freedesktop.org/drm/intel/issues/4215
[i915#4312]: https://gitlab.freedesktop.org/drm/intel/issues/4312
[i915#4579]: https://gitlab.freedesktop.org/drm/intel/issues/4579
[i915#4613]: https://gitlab.freedesktop.org/drm/intel/issues/4613
[i915#4873]: https://gitlab.freedesktop.org/drm/intel/issues/4873
[i915#4983]: https://gitlab.freedesktop.org/drm/intel/issues/4983
[i915#5190]: https://gitlab.freedesktop.org/drm/intel/issues/5190
[i915#5274]: https://gitlab.freedesktop.org/drm/intel/issues/5274
[i915#5334]: https://gitlab.freedesktop.org/drm/intel/issues/5334
[i915#5354]: https://gitlab.freedesktop.org/drm/intel/issues/5354
[i915#6077]: https://gitlab.freedesktop.org/drm/intel/issues/6077
[i915#6078]: https://gitlab.freedesktop.org/drm/intel/issues/6078
[i915#6093]: https://gitlab.freedesktop.org/drm/intel/issues/6093
[i915#6094]: https://gitlab.freedesktop.org/drm/intel/issues/6094
[i915#6166]: https://gitlab.freedesktop.org/drm/intel/issues/6166
[i915#6298]: https://gitlab.freedesktop.org/drm/intel/issues/6298
[i915#6311]: https://gitlab.freedesktop.org/drm/intel/issues/6311
[i915#6621]: https://gitlab.freedesktop.org/drm/intel/issues/6621
[i915#6645]: https://gitlab.freedesktop.org/drm/intel/issues/6645
[i915#7077]: https://gitlab.freedesktop.org/drm/intel/issues/7077
[i915#7357]: https://gitlab.freedesktop.org/drm/intel/issues/7357
[i915#7561]: https://gitlab.freedesktop.org/drm/intel/issues/7561
Build changes
-------------
* Linux: CI_DRM_12528 -> Patchwork_108732v9
CI-20190529: 20190529
CI_DRM_12528: 7e9f060b6f2ad746710306da06ba9c4a53876357 @ git://anongit.freedesktop.org/gfx-ci/linux
IGT_7104: fe5def13049225967770eaaf19ec01ef80e2adc5 @ https://gitlab.freedesktop.org/drm/igt-gpu-tools.git
Patchwork_108732v9: 7e9f060b6f2ad746710306da06ba9c4a53876357 @ git://anongit.freedesktop.org/gfx-ci/linux
### Linux commits
f6327f68b19e drm/i915/gvt: fix double free bug in split_2MB_gtt_entry
== Logs ==
For more details see: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_108732v9/index.html
[-- Attachment #2: Type: text/html, Size: 7643 bytes --]
^ permalink raw reply [flat|nested] 93+ messages in thread
end of thread, other threads:[~2022-12-29 17:57 UTC | newest]
Thread overview: 93+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-18 19:24 [PATCH] drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry Zheng Wang
2022-09-18 19:24 ` [Intel-gfx] " Zheng Wang
2022-09-19 9:30 ` Jani Nikula
2022-09-19 9:30 ` [Intel-gfx] " Jani Nikula
2022-09-19 9:55 ` Zheng Hacker
2022-09-19 9:55 ` [Intel-gfx] " Zheng Hacker
2022-09-19 9:55 ` Zheng Hacker
2022-09-21 9:13 ` Zheng Hacker
2022-09-21 9:13 ` [Intel-gfx] " Zheng Hacker
2022-09-21 9:13 ` Zheng Hacker
2022-09-28 3:33 ` [PATCH] drm/i915/gvt: fix double free " Zheng Wang
2022-09-28 3:33 ` [Intel-gfx] " Zheng Wang
2022-09-28 3:33 ` Zheng Wang
2022-10-02 14:18 ` Greg KH
2022-10-02 14:18 ` [Intel-gfx] " Greg KH
2022-10-02 14:18 ` Greg KH
2022-10-03 4:36 ` Zheng Hacker
2022-10-03 4:36 ` [Intel-gfx] " Zheng Hacker
2022-10-03 4:36 ` Zheng Hacker
2022-10-06 16:58 ` [PATCH v2] " Zheng Wang
2022-10-06 16:58 ` [Intel-gfx] " Zheng Wang
2022-10-06 16:58 ` Zheng Wang
2022-10-06 19:23 ` Greg KH
2022-10-06 19:23 ` [Intel-gfx] " Greg KH
2022-10-06 19:23 ` Greg KH
2022-10-07 0:39 ` Zheng Hacker
2022-10-07 0:39 ` [Intel-gfx] " Zheng Hacker
2022-10-07 0:39 ` Zheng Hacker
2022-10-07 1:37 ` [PATCH v3] " Zheng Wang
2022-10-07 1:37 ` [Intel-gfx] " Zheng Wang
2022-10-07 1:37 ` Zheng Wang
2022-10-27 0:01 ` [Intel-gfx] " Dave Airlie
2022-10-27 0:01 ` Dave Airlie
2022-10-27 0:01 ` Dave Airlie
2022-10-27 3:26 ` Zheng Hacker
2022-10-27 3:26 ` [Intel-gfx] " Zheng Hacker
2022-10-27 3:26 ` Zheng Hacker
2022-10-27 5:12 ` Dave Airlie
2022-10-27 5:12 ` [Intel-gfx] " Dave Airlie
2022-10-27 5:12 ` Dave Airlie
2022-10-30 15:10 ` Zheng Hacker
2022-10-30 15:10 ` [Intel-gfx] " Zheng Hacker
2022-10-30 15:10 ` Zheng Hacker
2022-12-15 10:47 ` Joonas Lahtinen
2022-12-15 10:47 ` [Intel-gfx] " Joonas Lahtinen
2022-12-15 11:33 ` Wang, Zhi A
2022-12-15 11:33 ` [Intel-gfx] " Wang, Zhi A
2022-12-15 13:26 ` Zheng Hacker
2022-12-15 13:26 ` [Intel-gfx] " Zheng Hacker
2022-12-15 13:26 ` Zheng Hacker
2022-12-19 7:57 ` [Intel-gfx] " Zheng Wang
2022-12-19 7:57 ` Zheng Wang
2022-12-19 7:57 ` Zheng Wang
2022-12-19 8:22 ` Wang, Zhi A
2022-12-19 8:22 ` Wang, Zhi A
2022-12-19 8:22 ` Wang, Zhi A
2022-12-19 9:21 ` Zheng Wang
2022-12-19 9:21 ` Zheng Wang
2022-12-19 9:21 ` Zheng Wang
2022-12-19 12:46 ` [PATCH v4] [PATCH v4] " Zheng Wang
2022-12-19 12:46 ` [Intel-gfx] " Zheng Wang
2022-12-19 12:46 ` Zheng Wang
2022-12-19 12:52 ` [RESEND PATCH " Zheng Wang
2022-12-19 12:52 ` [Intel-gfx] " Zheng Wang
2022-12-19 12:52 ` Zheng Wang
2022-12-20 8:22 ` Zhenyu Wang
2022-12-20 8:22 ` [Intel-gfx] " Zhenyu Wang
2022-12-20 8:22 ` Zhenyu Wang
2022-12-20 9:03 ` Zheng Hacker
2022-12-20 9:03 ` [Intel-gfx] " Zheng Hacker
2022-12-20 9:03 ` Zheng Hacker
2022-12-20 9:40 ` [PATCH v5] " Zheng Wang
2022-12-20 9:40 ` [Intel-gfx] " Zheng Wang
2022-12-20 9:40 ` Zheng Wang
2022-12-21 2:58 ` Zhenyu Wang
2022-12-21 2:58 ` [Intel-gfx] " Zhenyu Wang
2022-12-21 2:58 ` Zhenyu Wang
2022-12-21 5:01 ` Zheng Hacker
2022-12-21 5:01 ` [Intel-gfx] " Zheng Hacker
2022-12-21 5:01 ` Zheng Hacker
2022-12-29 16:56 ` [PATCH v6] " Zheng Wang
2022-12-29 16:56 ` [Intel-gfx] " Zheng Wang
2022-12-29 16:56 ` Zheng Wang
2022-09-19 20:17 ` [Intel-gfx] ✗ Fi.CI.BUILD: failure for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev2) Patchwork
2022-09-29 18:16 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev3) Patchwork
2022-09-29 18:40 ` [Intel-gfx] ✓ Fi.CI.BAT: success " Patchwork
2022-09-30 18:41 ` [Intel-gfx] ✓ Fi.CI.IGT: " Patchwork
2022-10-10 15:00 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev5) Patchwork
2022-10-10 15:30 ` [Intel-gfx] ✗ Fi.CI.BAT: failure " Patchwork
2022-12-22 12:25 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev8) Patchwork
2022-12-22 12:53 ` [Intel-gfx] ✓ Fi.CI.BAT: success " Patchwork
2022-12-22 18:13 ` [Intel-gfx] ✗ Fi.CI.IGT: failure " Patchwork
2022-12-29 17:57 ` [Intel-gfx] ✗ Fi.CI.BAT: failure for drm/i915/gvt: fix double-free bug in split_2MB_gtt_entry (rev9) Patchwork
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.